72ebc223bef1bf4cabad9c7eb6e520f0d93554f2807d4c8875be24dc3ab129a4 (SHA256)
FRS.exe
Windows Exe (x86-32)
Created at 2018-03-11 10:08:00
Monitored Processes
Behavior Information - Grouped by Category
Process #1: frs.exe
179
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\5jghkoaofdp\desktop\frs.exe |
| Command Line | "C:\Users\5JgHKoaOfdp\Desktop\FRS.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:28, Reason: Analysis Target |
| Unmonitor | End Time: 00:01:39, Reason: Self Terminated |
| Monitor Duration | 00:01:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa3c |
| Parent PID | 0x3f8 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x0004efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x001b0000 | 0x0022dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00230fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0038ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00390fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00393fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| frs.exe | 0x00400000 | 0x004b3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x00647fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0077ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00900fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x0094ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x01d4ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001d50000 | 0x01d50000 | 0x01e7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001d50000 | 0x01d50000 | 0x01e40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001e70000 | 0x01e70000 | 0x01e7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x01e80000 | 0x02154fff | Memory Mapped File | Readable |
|
|
|
- |
| shcore.dll | 0x74830000 | 0x748a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shfolder.dll | 0x748b0000 | 0x748b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x748e0000 | 0x749bafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apphelp.dll | 0x749c0000 | 0x74a58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x75a50000 | 0x76bfcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007fd80000 | 0x7fd80000 | 0x7fdcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fdd0000 | 0x7fdd0000 | 0x7fe3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe40000 | 0x7fe40000 | 0x7feaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fe60000 | 0x7fe60000 | 0x7feaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\5jghko~1\appdata\local\temp\ccep00el.bat | 2.61 KB |
MD5:
60dfa4196aadcc1d7e647a40aaba2b4d
SHA1: 97d1d8916ccc631b4d7f6a596d12a299a571c167 SHA256: 3cdfcdb0ccb062fea23cc7605639e3c8b0b1e6de4c318fffd2adb71c9931b001 |
|
|
| c:\users\5jghkoaofdp\appdata\local\qb1143663.0f\chinese_national_flag.png | 9.19 KB |
MD5:
82c2228d8775b2a2b1325cb824ee0d1a
SHA1: 49fd65ad486e55602308780b81ed80c421c5f8bd SHA256: debbf84b752eef8d137626710fc771bf3d7d1d21d218156dd126915920c6dbc7 |
|
|
| c:\users\5jghkoaofdp\appdata\local\qb1143663.0f\frs_decryptor.exe | 296.00 KB |
MD5:
a7ffea3a80b4d5e4a39f170dc6603bab
SHA1: 1cf36c82454f4c3415feb509c94a3180fa840efa SHA256: c5f6d1db3e0707a8d694989a0eae063109e0ff310b42c0933d9411833301bd29 |
|
|
| c:\users\5jghkoaofdp\appdata\local\qb1143663.0f\read_me_help_me.png | 125.17 KB |
MD5:
32555b61eece08c2091ba534ade60e79
SHA1: 2baf7b08d9c136c91173e309825e702d18fbe1e3 SHA256: 64c9e25a8309936f42bcbd71fb676fa09ccafbf66b25470be455bd8d6db0ea7e |
|
|
| c:\users\5jghkoaofdp\appdata\local\qb1143663.0f\read_me_help_me.txt | 0.89 KB |
MD5:
2fbe761d4e8ef1a82476360c674ad881
SHA1: bb5a7318691df1cb5a169ce9fe07364e824ee091 SHA256: 803de6ab58ee7f106e2dbc0b207821b7160ff133b5f1e05871a4a7c6c794f47d |
|
|
Host Behavior
File (13)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\AppData\Local\Temp\CCEP00EL.bat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\Chinese_national_flag.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\FRS_Decryptor.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\READ_ME_HELP_ME.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\READ_ME_HELP_ME.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create Directory | C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F | - |
|
1 | |
| Get Info | C:\Users\5JGHKO~1\AppData\Local\Temp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JGHKO~1\AppData\Local\Temp\CCEP00EL.bat | type = file_attributes |
|
1 | |
| Write | C:\Users\5JGHKO~1\AppData\Local\Temp\CCEP00EL.bat | size = 2670 |
|
1 | |
| Write | C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\Chinese_national_flag.png | size = 9409 |
|
1 | |
| Write | C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\FRS_Decryptor.exe | size = 303104 |
|
1 | |
| Write | C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\READ_ME_HELP_ME.png | size = 128170 |
|
1 | |
| Write | C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\READ_ME_HELP_ME.txt | size = 915 |
|
1 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Borland\Locales | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Borland\Locales | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Delphi\Locales | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | cmd.exe /c ""C:\Users\5JGHKO~1\AppData\Local\Temp\CCEP00EL.bat" "C:\Users\5JgHKoaOfdp\Desktop\FRS.exe" " | os_pid = 0xa5c, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 |
Module (155)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Users\5JgHKoaOfdp\Desktop\FRS.ENU | base_address = 0x0 |
|
1 | |
| Load | C:\Users\5JgHKoaOfdp\Desktop\FRS.EN | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
6 | |
| Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x74d90000 |
|
3 | |
| Get Handle | c:\windows\syswow64\advapi32.dll | base_address = 0x74d10000 |
|
1 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x75460000 |
|
2 | |
| Get Handle | c:\windows\syswow64\shfolder.dll | base_address = 0x748b0000 |
|
1 | |
| Get Handle | c:\users\5jghkoaofdp\desktop\frs.exe | base_address = 0x400000 |
|
1 | |
| Get Filename | c:\users\5jghkoaofdp\desktop\frs.exe | process_name = c:\users\5jghkoaofdp\desktop\frs.exe, file_name_orig = C:\Users\5JgHKoaOfdp\Desktop\FRS.exe, size = 261 |
|
1 | |
| Get Filename | - | process_name = c:\users\5jghkoaofdp\desktop\frs.exe, file_name_orig = C:\Users\5JgHKoaOfdp\Desktop\FRS.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtect, address_out = 0x74f8971f |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SysFreeString, address_out = 0x74d93ddc |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SysReAllocStringLen, address_out = 0x74d98b29 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SysAllocStringLen, address_out = 0x74d94042 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExA, address_out = 0x74d111a8 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExA, address_out = 0x74d11197 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x74d11164 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetKeyboardType, address_out = 0x754b2379 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DestroyWindow, address_out = 0x749dc030 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadStringA, address_out = 0x754841cf |
|
2 | |
| Get Address | c:\windows\syswow64\user32.dll | function = MessageBoxA, address_out = 0x754d279e |
|
2 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CharNextA, address_out = 0x75479fbd |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x74f89864 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x74f898c0 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualFree, address_out = 0x74f837a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x74f837c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x74f9607c |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x74f83760 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x74f81960 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InterlockedDecrement, address_out = 0x74f89067 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InterlockedIncrement, address_out = 0x74f88f69 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualQuery, address_out = 0x74f89a6e |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x74f87cf2 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x74f84eb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenA, address_out = 0x74f90cf8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpynA, address_out = 0x74f95aa3 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExA, address_out = 0x74f8bd19 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetThreadLocale, address_out = 0x74f8cfec |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoA, address_out = 0x74f8a47c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x74f8980c |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleA, address_out = 0x74f8a647 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameA, address_out = 0x74f8c329 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoA, address_out = 0x74f9460c |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineA, address_out = 0x74f8ce24 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibrary, address_out = 0x74f8bf0a |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindFirstFileA, address_out = 0x74f97398 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindClose, address_out = 0x74f97368 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x74f97f64 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x74f975fc |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x74fb3e7f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x74f8c83c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RaiseException, address_out = 0x74f8cab0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x74f8c433 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x74f83560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x74f81940 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x74f87cd6 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSystemMetrics, address_out = 0x7546b722 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CharPrevA, address_out = 0x754814d6 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CharToOemA, address_out = 0x754d630d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x74f972d8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x74f8a7d7 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointer, address_out = 0x74f975b4 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileAttributesA, address_out = 0x74f97590 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x74f972a8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEnvironmentVariableA, address_out = 0x74fb3c89 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x74f97584 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ResetEvent, address_out = 0x74f9729c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RemoveDirectoryA, address_out = 0x74f9756c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x74f97548 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x74f8994c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x74f898af |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x770dfd40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSection, address_out = 0x770e81f3 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetWindowsDirectoryA, address_out = 0x74f95be8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersionExA, address_out = 0x74f89a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocalTime, address_out = 0x74f8c070 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x74f836c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFullPathNameA, address_out = 0x74f974c4 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileAttributesA, address_out = 0x74f97440 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetExitCodeProcess, address_out = 0x74f95a18 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x74f8ca8e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDiskFreeSpaceA, address_out = 0x74f973f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatA, address_out = 0x74fb31fe |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x74f83580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x74f8be5c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeResource, address_out = 0x74f93eee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageA, address_out = 0x74f953ee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceA, address_out = 0x74f8db6a |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumCalendarInfoA, address_out = 0x74fc6145 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x770dfd00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileA, address_out = 0x74f97344 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77102974 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessA, address_out = 0x74fb2ecb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileA, address_out = 0x74f97320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventA, address_out = 0x74f971b8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateDirectoryA, address_out = 0x74f972fc |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringA, address_out = 0x74f8a7f9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x74f9717c |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayPtrOfIndex, address_out = 0x74d96a3d |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayGetUBound, address_out = 0x74d95603 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayGetLBound, address_out = 0x74d95685 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayCreate, address_out = 0x74d95c82 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VariantChangeType, address_out = 0x74d9541e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VariantCopy, address_out = 0x74d94353 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VariantClear, address_out = 0x74d938d5 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VariantInit, address_out = 0x74d9397a |
|
1 | |
| Get Address | c:\windows\syswow64\shfolder.dll | function = SHGetFolderPathA, address_out = 0x748b14fd |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDiskFreeSpaceExA, address_out = 0x74f97404 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VariantChangeTypeEx, address_out = 0x74d94b29 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNeg, address_out = 0x74de8d54 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNot, address_out = 0x74deb24d |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAdd, address_out = 0x74dbc05b |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarSub, address_out = 0x74dea448 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMul, address_out = 0x74de997d |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDiv, address_out = 0x74de9341 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarIdiv, address_out = 0x74deae9e |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMod, address_out = 0x74deb0f4 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAnd, address_out = 0x74dbc567 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarOr, address_out = 0x74deb2e9 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarXor, address_out = 0x74deb465 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCmp, address_out = 0x74da586f |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarI4FromStr, address_out = 0x74da6cdb |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR4FromStr, address_out = 0x74daf665 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR8FromStr, address_out = 0x74dae6d8 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDateFromStr, address_out = 0x74db1e8a |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCyFromStr, address_out = 0x74dec63b |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBoolFromStr, address_out = 0x74daba10 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromCy, address_out = 0x74db2ff1 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromDate, address_out = 0x74db09be |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromBool, address_out = 0x74dae8c0 |
|
1 |
Keyboard (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = 0, result_out = 4 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = Ticks, time = 101859 |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = TMP, result_out = C:\Users\5JGHKO~1\AppData\Local\Temp |
|
1 | |
| Set Environment String | name = MYFILES, value = C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F |
|
1 | |
| Set Environment String | name = cmdln |
|
1 |
Process #2: cmd.exe
8165
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c ""C:\Users\5JGHKO~1\AppData\Local\Temp\CCEP00EL.bat" "C:\Users\5JgHKoaOfdp\Desktop\FRS.exe" " |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:33, Reason: Child Process |
| Unmonitor | End Time: 00:01:40, Reason: Self Terminated |
| Monitor Duration | 00:01:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa5c |
| Parent PID | 0xa3c (c:\users\5jghkoaofdp\desktop\frs.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A6C
0x
BEC
0x
2AC
0x
808
0x
BF0
0x
4F0
0x
AA8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| frs_decryptor.exe | 0x00400000 | 0x00452fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000b10000 | 0x00b10000 | 0x00b2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b10000 | 0x00b10000 | 0x00b1ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b23fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b31fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b33fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b40000 | 0x00b40000 | 0x00b4efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00c8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c90000 | 0x00c90000 | 0x00c93fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ca0000 | 0x00ca0000 | 0x00ca0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00cb1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00ccffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x00cd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00ce0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00cf0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d00fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00e0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| imm32.dll | 0x00e10000 | 0x00e31fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000e10000 | 0x00e10000 | 0x00e12fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| windowsshell.manifest | 0x00e20000 | 0x00e20fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000e20000 | 0x00e20000 | 0x00e20fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e30000 | 0x00e30000 | 0x00e31fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00e8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00e90000 | 0x00f0dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x0100ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0101ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001020000 | 0x01020000 | 0x011a7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000011b0000 | 0x011b0000 | 0x011b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000011c0000 | 0x011c0000 | 0x011c3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000011d0000 | 0x011d0000 | 0x011d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cversions.2.db | 0x011d0000 | 0x011d3fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000011e0000 | 0x011e0000 | 0x011e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000011f0000 | 0x011f0000 | 0x011fffff | Private Memory | Readable, Writable |
|
|
|
- |
| cversions.2.db | 0x01200000 | 0x01203fff | Memory Mapped File | Readable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000006.db | 0x01210000 | 0x0124efff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x01250000 | 0x01253fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000001260000 | 0x01260000 | 0x01261fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000028.db | 0x01270000 | 0x01289fff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sortdefault.nls | 0x012e0000 | 0x015b4fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000015c0000 | 0x015c0000 | 0x019bbfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000019c0000 | 0x019c0000 | 0x01b40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001b50000 | 0x01b50000 | 0x02f4ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002f50000 | 0x02f50000 | 0x03040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x03050000 | 0x030d2fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000030e0000 | 0x030e0000 | 0x030e0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000030f0000 | 0x030f0000 | 0x0312ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003130000 | 0x03130000 | 0x0322ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003230000 | 0x03230000 | 0x0326ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003270000 | 0x03270000 | 0x0336ffff | Private Memory | Readable, Writable |
|
|
|
- |
| oleaccrc.dll | 0x03370000 | 0x03370fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000003370000 | 0x03370000 | 0x03370fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000003380000 | 0x03380000 | 0x033bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000033c0000 | 0x033c0000 | 0x034bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000034c0000 | 0x034c0000 | 0x034c0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000034d0000 | 0x034d0000 | 0x034d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000034e0000 | 0x034e0000 | 0x034e6fff | Private Memory | Readable, Writable |
|
|
|
- |
| sysmain.sdb | 0x034f0000 | 0x03896fff | Memory Mapped File | Readable |
|
|
|
- |
| wininet.dll | 0x73230000 | 0x733ecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x733f0000 | 0x73608fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x73610000 | 0x73731fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| userenv.dll | 0x739a0000 | 0x739b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pcacli.dll | 0x73e00000 | 0x73e08fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| actxprxy.dll | 0x73e20000 | 0x73f1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| photobase.dll | 0x73f90000 | 0x73f9cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleacc.dll | 0x73fa0000 | 0x73fe7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| windowscodecs.dll | 0x73ff0000 | 0x7413cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| d3d9.dll | 0x74140000 | 0x742f7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wtsapi32.dll | 0x74300000 | 0x7430dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| photoviewer.dll | 0x74320000 | 0x744a9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x744b0000 | 0x744bdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| propsys.dll | 0x744c0000 | 0x745e2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x74600000 | 0x747e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x747f0000 | 0x74814fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cmdext.dll | 0x74820000 | 0x74826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x74830000 | 0x748a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x748c0000 | 0x748d7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x748e0000 | 0x749bafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apphelp.dll | 0x749c0000 | 0x74a58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x74f30000 | 0x74f69fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdiplus.dll | 0x755b0000 | 0x756fcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x75780000 | 0x7592cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x75a50000 | 0x76bfcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007f28a000 | 0x7f28a000 | 0x7f28cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f28d000 | 0x7f28d000 | 0x7f28ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007f290000 | 0x7f290000 | 0x7f38ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f390000 | 0x7f390000 | 0x7f3b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f3b3000 | 0x7f3b3000 | 0x7f3b5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f3b6000 | 0x7f3b6000 | 0x7f3b8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f3b9000 | 0x7f3b9000 | 0x7f3bbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f3bc000 | 0x7f3bc000 | 0x7f3bcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f3bd000 | 0x7f3bd000 | 0x7f3bdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\5jghkoaofdp\desktop\chinese_national_flag.png | 9.19 KB |
MD5:
82c2228d8775b2a2b1325cb824ee0d1a
SHA1: 49fd65ad486e55602308780b81ed80c421c5f8bd SHA256: debbf84b752eef8d137626710fc771bf3d7d1d21d218156dd126915920c6dbc7 |
|
|
| c:\frsramsomware\chinese_national_flag.png | 9.19 KB |
MD5:
82c2228d8775b2a2b1325cb824ee0d1a
SHA1: 49fd65ad486e55602308780b81ed80c421c5f8bd SHA256: debbf84b752eef8d137626710fc771bf3d7d1d21d218156dd126915920c6dbc7 |
|
|
| c:\users\5jghkoaofdp\desktop\frs_decryptor.exe | 296.00 KB |
MD5:
a7ffea3a80b4d5e4a39f170dc6603bab
SHA1: 1cf36c82454f4c3415feb509c94a3180fa840efa SHA256: c5f6d1db3e0707a8d694989a0eae063109e0ff310b42c0933d9411833301bd29 |
|
|
| c:\frsramsomware\frs_decryptor.exe | 296.00 KB |
MD5:
a7ffea3a80b4d5e4a39f170dc6603bab
SHA1: 1cf36c82454f4c3415feb509c94a3180fa840efa SHA256: c5f6d1db3e0707a8d694989a0eae063109e0ff310b42c0933d9411833301bd29 |
|
|
| c:\users\5jghkoaofdp\desktop\read_me_help_me.png | 125.17 KB |
MD5:
32555b61eece08c2091ba534ade60e79
SHA1: 2baf7b08d9c136c91173e309825e702d18fbe1e3 SHA256: 64c9e25a8309936f42bcbd71fb676fa09ccafbf66b25470be455bd8d6db0ea7e |
|
|
| c:\frsramsomware\read_me_help_me.png | 125.17 KB |
MD5:
32555b61eece08c2091ba534ade60e79
SHA1: 2baf7b08d9c136c91173e309825e702d18fbe1e3 SHA256: 64c9e25a8309936f42bcbd71fb676fa09ccafbf66b25470be455bd8d6db0ea7e |
|
|
| c:\users\5jghkoaofdp\desktop\read_me_help_me.txt | 0.89 KB |
MD5:
2fbe761d4e8ef1a82476360c674ad881
SHA1: bb5a7318691df1cb5a169ce9fe07364e824ee091 SHA256: 803de6ab58ee7f106e2dbc0b207821b7160ff133b5f1e05871a4a7c6c794f47d |
|
|
| c:\frsramsomware\read_me_help_me.txt | 0.89 KB |
MD5:
2fbe761d4e8ef1a82476360c674ad881
SHA1: bb5a7318691df1cb5a169ce9fe07364e824ee091 SHA256: 803de6ab58ee7f106e2dbc0b207821b7160ff133b5f1e05871a4a7c6c794f47d |
|
|
| c:\frs_temp\temp.txt | 0.01 KB |
MD5:
2863a0f767a37019a3f57c245ae20586
SHA1: f69e1ccf95ab44f33b1db5d9d984bc02070b4257 SHA256: 370dbcfde1ea1f282d9ed3f6bc282948cad2d99ff92767c5bcb4cba67ea06ccd |
|
|
| c:\users\5jghkoaofdp\desktop\frs_decryptor.exe | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\5jghkoaofdp\desktop\-twyiucq0.m4a.frs | 53.35 KB |
MD5:
dcee006e81655888366571c24682e083
SHA1: a5f8003d7f54415c4363c72b416a8323c57404a2 SHA256: 4ee9532e3e697beb49d7bef8ad4dbaaf6184f3a768031e872fd06ff3258f389f |
|
|
| c:\users\5jghkoaofdp\desktop\43r71_l4m.mp4.frs | 69.14 KB |
MD5:
3ebd854dd9c3ec8d8607f079db7311bc
SHA1: 2537bc090fe89483aedf0a115a2639128995de14 SHA256: 0d937854c873167a9e2a4f593e67a0d99fe3ef2aebbaff396a610d9a11b9bfa2 |
|
|
| c:\users\5jghkoaofdp\desktop\6eivhqj738.wav.frs | 13.46 KB |
MD5:
2496421dacbcbc7404e198ebc6b86bfd
SHA1: e2cf5ae5d227303b7243f98a2a3f9505c09c4180 SHA256: 812466a0ef6c0727b580af7328a13f9853f9ac94fcf462df9387d782cdbc41fd |
|
|
| c:\users\5jghkoaofdp\desktop\72imq3onh06hn.mp4.frs | 17.19 KB |
MD5:
183436de09529a28e9ac29c144c348b0
SHA1: 10791a3b982a7da5f68f6e61a2a06da828901cf0 SHA256: 38e88337f40fdd0750e22e8aa947e16f9fb7403c4d454ccb9a032329cc13323d |
|
|
| c:\users\5jghkoaofdp\desktop\7hytmofq-a8mf.ods.frs | 68.68 KB |
MD5:
0d76b3d5e0d11ee8d9d3ed9ecc02acc0
SHA1: 9bb6113a0e471ba07551e60855c870675efc0b52 SHA256: 72aa19352e1406cbe16bf35e7963a1a367e5af6cbc49709792bddadd28140b59 |
|
|
| c:\users\5jghkoaofdp\desktop\b-t7ydezo3m.png.frs | 98.94 KB |
MD5:
269550c2078b88b7936d5f3bf2801600
SHA1: c4756692d4c759d919145b0c1fb68fc861b85a3e SHA256: 9772ad5560c12638f0daeae983ee4fcca67142be606be5d89219f6c73abae852 |
|
|
| c:\users\5jghkoaofdp\desktop\frs.exe.frs | 270.00 KB |
MD5:
af6d91121887f5bb0a85a06b1ded0db7
SHA1: 3dc746ae351adbaa192400a58c492c83dd7f4a10 SHA256: 72ebc223bef1bf4cabad9c7eb6e520f0d93554f2807d4c8875be24dc3ab129a4 |
|
|
| c:\users\5jghkoaofdp\desktop\f_jdlby.rtf.frs | 3.73 KB |
MD5:
d2837a196b6ef9eb33e7b7c823f28720
SHA1: dd57eb156fe893654da5e8518664d0fc0ed3822e SHA256: 636d69b7b5ddee83266a4abccb8f07f6af596ade872bb7c96aa622410fb94e18 |
|
|
| c:\users\5jghkoaofdp\desktop\g3s4_wn8bnwcu.mp4.frs | 82.38 KB |
MD5:
f2054e74ed713f85a16dc2e6deb4118c
SHA1: 2f7f1cefe5bc2bfa6ffba892b065b31fadbfe9f9 SHA256: 3c37ca2e4b4068c4f4dc2077a2ee1e0edb4c9e976da5e6c5fd87d8ffa2edfdc4 |
|
|
| c:\users\5jghkoaofdp\desktop\gutlh6thwjyjtpp.ppt.frs | 76.56 KB |
MD5:
d293b272ca552c679493d87a71feb284
SHA1: e7fe00a1a76146f5c0a8f78c81ea771f9c90faa5 SHA256: cd4c2d7edbd55225903014fda92684e249f8b9500b02153a5af2ac13eb67be2a |
|
|
| c:\users\5jghkoaofdp\desktop\hxgdqridex_pfzyh_fbr.odt.frs | 3.37 KB |
MD5:
499909564bf72db33ed0c255bc1ae6d1
SHA1: 113730c56f198725fb19c24daffc364223673a89 SHA256: 32f605ca59c7752d8fbe0403dd0ffeebc7fe73758198ae5061ecf63e4e19f219 |
|
|
| c:\users\5jghkoaofdp\desktop\iw7veaa.gif.frs | 33.39 KB |
MD5:
15aea51959164c61fef2d19044e032e2
SHA1: dbf0b78ac22c4a70e496683e023be558898f1cc0 SHA256: 7de7fda5bc53d7dce5c78109a6653c21a0614d37f7d864ec64abfe32db73ec93 |
|
|
| c:\users\5jghkoaofdp\desktop\jbwzgaoqv2ah.flv.frs | 64.32 KB |
MD5:
c984395c35a74e33bd4fe5f708282330
SHA1: 9d9b8031a271875b268592dae4836a13441c92c2 SHA256: 9434cde78649d68fd68a0a45e0cf1ad8c4301f875dbee94161096ac1da8e286a |
|
|
| c:\users\5jghkoaofdp\desktop\j_3z6ryq7l9u.m4a.frs | 62.08 KB |
MD5:
ed73813eab986cd2303a51b5e8051bc1
SHA1: 8d7351e887cd1ebb7ea2710fe0d646d8070953dd SHA256: d3dcb98f8da72b0c45e60158086d6b644822e68166008844541a78ff8d4fd38a |
|
|
| c:\users\5jghkoaofdp\desktop\k5gvz.wav.frs | 94.05 KB |
MD5:
508ce3c726933adf93abd8eedc5b005a
SHA1: 569ccb4357f3f87fb5544a0cbcbc91f2bad1792c SHA256: 0101760176c291b794d606df5e348ec74eb6e3f0cfe75b0322291710c389bf92 |
|
|
| c:\users\5jghkoaofdp\desktop\o0eprpcorni4z.pdf.frs | 71.70 KB |
MD5:
cd71310cf533b55c5a275f4239929fc8
SHA1: 08997e3876390c77b70d249f7d77ba9964c68afb SHA256: 6f7cc559a7042dbf0ceff557109c254eb4062190b1293c180ea35672c630d1c0 |
|
|
| c:\users\5jghkoaofdp\desktop\ou5cauoh-hbi.mkv.frs | 88.02 KB |
MD5:
e2c33287edfe95df3dfa900fda78102d
SHA1: aa8176518799665a100da338a0fc8b675c949334 SHA256: 5f1bd322362324d2b035bd6e98efdf87f3e7eccedb9a1d791da7deb74196209a |
|
|
| c:\users\5jghkoaofdp\desktop\oumvigdyiou8ucwtila.flv.frs | 82.84 KB |
MD5:
08f24b055e25872fd313e991ef887dec
SHA1: 411395cd6e004e280408174069c70628bd1ffe9c SHA256: 1fd419fa182704cfb521dfac7d07c587c267a9e4ed53d57a396a5b1e3bf2a9dc |
|
|
| c:\users\5jghkoaofdp\desktop\rbzj46dm.m4a.frs | 30.43 KB |
MD5:
2a284da4cf07876212e13fd54e2ddbfd
SHA1: 5222e59a481d36bbdff7bc5ea6481c43719549d9 SHA256: 5000eede1639316cc33f743488c3d3e533232699c77ddf2664ee4bc712ecaa0f |
|
|
| c:\users\5jghkoaofdp\desktop\rpgefllksk.m4a.frs | 51.05 KB |
MD5:
8c1d7449ef6dcb78b80c2b9527cf7277
SHA1: b70f4132f25f68cd0a9e3c3c0d1545dbe970fce5 SHA256: 127035ce04036b82706a618a469267e55131db5f19863db4c9ccc71af1eb635e |
|
|
| c:\users\5jghkoaofdp\desktop\uc2u5sgsnmjje2.pps.frs | 48.65 KB |
MD5:
73de605f134a83bd00cb7fe7150a40ce
SHA1: 4fbdabacf32f4a846d0cff9a1d08bee04db7f53b SHA256: 0ac641c5ebaba9910c7ed220e39b3fb4ffb4e712aa3b02cbbbac73dcbf37a6f1 |
|
|
| c:\users\5jghkoaofdp\desktop\v7afohjmdiyo.m4a.frs | 47.28 KB |
MD5:
073cd8e4860baf9a00fa79000beee23d
SHA1: fdbc210481856e1e1d55cecc31ca072e2fe2b5f3 SHA256: 3d03bc068aac9e4e6adf0786a1290dba4a38c6b21f3a7c2cf7005833d97e924d |
|
|
| c:\users\5jghkoaofdp\desktop\w5 xas-kum9kx.odp.frs | 95.10 KB |
MD5:
542b40123d45e6e76ac33bc919a16cfc
SHA1: af6c3e4e309597d2e129d20e504f2ecf59cf5911 SHA256: cb0a928b2180e46159a711d91fb2971b324f1c18eb08ee249cd3904d0a1410fb |
|
|
| c:\users\5jghkoaofdp\desktop\wu_4n34grxa-1p.swf.frs | 60.28 KB |
MD5:
9471b77626099684c8ec0f9d55447ae3
SHA1: cd0ff9b7410801da6e677acd0734215d133f8c88 SHA256: 3d0863eef3952cce1ddf694e40425fa1fb53ee5653882e61fdf3045c365fec30 |
|
|
| c:\users\5jghkoaofdp\desktop\wyeepeitvrxcpbjj6.m4a.frs | 81.61 KB |
MD5:
203f81e5b580bcf969fc4ba50cb6f2fd
SHA1: 8ab09a0ef396b7f94836ef7b3a24812976f8abaf SHA256: 6cd38f6f7d725ba39c60bec5fe272a4325e886ee073b199772945bc585dd259e |
|
|
| c:\users\5jghkoaofdp\desktop\x 0yrdzrhlk5vrlqse.flv.frs | 58.05 KB |
MD5:
50be7f302227d15f188d4fe4c9c7f07a
SHA1: 6da972382ae1f1991bccb2d8ec5b55ab3659079e SHA256: e9f2874907d5afc9b71fed88d17e7fc6b332cc6dc285bd4678c2b4581ddb28a4 |
|
|
| c:\users\5jghkoaofdp\desktop\xa1kqskcf8g.rtf.frs | 36.47 KB |
MD5:
40084ad9938ea07c00a9272367f128d5
SHA1: 4eb56ff02cffc7fe6129e299e5568802ce439b6c SHA256: 5a78b71823d0db440a1caa285b79ace375450fba316fe744258f9dfc8e7296a5 |
|
|
| c:\users\5jghkoaofdp\links\desktop.lnk.frs | 0.45 KB |
MD5:
62f5b1049d3057e85e3fa640277dd003
SHA1: 3ac36b396f6cfee048f33937d65f6763d2d4e3b0 SHA256: 748c8c80c950814f0bc453d7ceec722cd95768295ba4f7dd93e073cebc9dcdbe |
|
|
| c:\users\5jghkoaofdp\links\downloads.lnk.frs | 0.88 KB |
MD5:
b5d1dd0aacfbc4d04a768689ba1eaa30
SHA1: 2fb607a6afd71549c7d11a0a0c604b12f2e9eb9e SHA256: 8d7c71ea735939294f518e5ce54200dabcf47d5ebd6bab8a5da11caaf542ffb0 |
|
|
| c:\users\5jghkoaofdp\links\recentplaces.lnk.frs | 0.35 KB |
MD5:
21bb52a29f0d477e0905152bb5bdc16c
SHA1: d6ad4bf96d12d1d0e5cfa358110ecaec9fe5db95 SHA256: fdd1a5c5414fa0a22cfbdf390d1d3f975f8e402474046232ee14f0b8d647edef |
|
|
| c:\users\5jghkoaofdp\favorites\bing.url.frs | 0.20 KB |
MD5:
5d42dddda9951546c9d43f0062c94d39
SHA1: 4af07c23ebb93bad9b96a4279bee29eba46be1ee SHA256: e0c0a5a360482b5c5ded8fad5706c4c66f215f527851ad87b31380ef6060696e |
|
|
| c:\users\5jghkoaofdp\searches\winrt--{s-1-5-21-3643094112-4209292109-138530109-1001}-.searchconnector-ms.frs | 0.83 KB |
MD5:
40b3b87ce35a573e1dab382563e0a7a3
SHA1: 520b1e8705ed2a24b57c3ec34fbf451e502db493 SHA256: 93554d3e433b01eb8735f562bf50f0da24d3ab5c96f9ad94d4885a5747c90bc4 |
|
|
| c:\users\5jghkoaofdp\videos\3cykmen1qsqdl.avi.frs | 75.28 KB |
MD5:
a0e6f04fe4b50311ffb400988f9cab3e
SHA1: 148f76881b5b92a1aad3758dc5f41dd1564eaafd SHA256: 0274b329a3423f958cb236a3da7fa96ad6b0383eb3762e0cfb5f7ca7d6621540 |
|
|
| c:\users\5jghkoaofdp\videos\4 evmh.flv.frs | 54.65 KB |
MD5:
47864d36517c776a087319bb836ba59e
SHA1: 1d8c515c34e87582d7f46ceb21d779d3271f9635 SHA256: 523c249e12aef12672a0eafb0d1f8c701825ab5abc4782a0a89a038cd1865356 |
|
|
| c:\users\5jghkoaofdp\videos\75rmilket_ce3woc7.mkv.frs | 6.63 KB |
MD5:
b88edbcaf8d15500f45ae1857f895ab6
SHA1: 3ee041af71b5f3eed8ade93e7e2f2d099ed2be3c SHA256: 7db4b34f70bd6cd3b6d5c593313dd45cd54aef5110a2c8286867b1b4e9d895cc |
|
|
| c:\users\5jghkoaofdp\videos\8tpcncitib7vspp8vwp.flv.frs | 94.68 KB |
MD5:
a444add3391d3a890deb4843606b974d
SHA1: 4b920a595b659fda17d717ade25c5f023013324f SHA256: b0a593957de4c83464d06c4c544af8d1be0ed6a6eedeef2b024a9dceefd19193 |
|
|
| c:\users\5jghkoaofdp\videos\c0w0rxzrwz.swf.frs | 74.13 KB |
MD5:
fc07615fe7985d630fe3d14786ec46c1
SHA1: 833976f25847a338f4a14e69da3bcf34c5b2825e SHA256: 95532bc364143266c6a34bac72db46b8c04193e3d3938d1227f7320e770afcd7 |
|
|
| c:\users\5jghkoaofdp\videos\czf7i.swf.frs | 39.56 KB |
MD5:
94e9f8ccd3d9d9be27edcb04c98161b4
SHA1: a0e220b9064ab9ba00268fda1ea3da52f9d6478b SHA256: 44934bd0f23ef97109a1e473b2525436381a16b5fda59780e3f8e774cd092064 |
|
|
| c:\users\5jghkoaofdp\videos\dl_eqdexsjozj_texj21.flv.frs | 20.85 KB |
MD5:
0a17f8c421b62fdc1c91fd51918e49a2
SHA1: 5b4e0442145173dc15f366efe4d78c8cd7e64359 SHA256: d65fc9661fbd6b106abed94d285a1d4e668ad91f9fa95f11f6c37e1bfe413605 |
|
|
| c:\users\5jghkoaofdp\videos\f5szn_eaybfcsfn.avi.frs | 96.23 KB |
MD5:
de2a40d72b9e79980cc257e2ba98b1a6
SHA1: d5decaf21eef3eb417bb29d5b9e7bd5b2ef5690d SHA256: 56e38e4762a189c8371fb6535d816e75c0123de687c892ce38251785f26996a4 |
|
|
| c:\users\5jghkoaofdp\videos\f7q9iv6zau.swf.frs | 85.16 KB |
MD5:
6b819364fc9d3363bfbc4299f649ecbc
SHA1: 350784a37eac372b7ec3aa891bf57310827551b4 SHA256: a59493f8211f7b2289d76b5e39945890dff344431d44d64d58b58c16b04625a1 |
|
|
| c:\users\5jghkoaofdp\videos\hlwevmas58agwm.flv.frs | 9.18 KB |
MD5:
bc8ded7645fd5d97169fecf26e43d16f
SHA1: a8ce4c4ffe0ded5c6e39664999928a0cc7048eac SHA256: 7f12d4acd7b5ac213f86f0bca480e1d8744c057642f3fc2d1096789094bc06ce |
|
|
| c:\users\5jghkoaofdp\videos\l 1id.mkv.frs | 58.21 KB |
MD5:
2ec616080fe92cac08672c5047194a70
SHA1: 104971d36b784e7fc8c0723da2f4662c9c660310 SHA256: f69aac2a423743b5e218010122c568097005d4520da01132baafe42dc553c198 |
|
|
| c:\users\5jghkoaofdp\videos\nuwem4__4.mp4.frs | 27.77 KB |
MD5:
52d5d7579a5f9eaa7c7d94afa9103c13
SHA1: dc86ffe03b6b64f16593be856886210aa188b20e SHA256: bc2dbcac064044f14f61e0e1467319d85a3f4084f61a518608b109e6f2f22f49 |
|
|
| c:\users\5jghkoaofdp\videos\ohc _cgopckuxz.avi.frs | 26.94 KB |
MD5:
80eea8d616b315ae79ef39b8d3896521
SHA1: 2e395acc07b116583979662dc3024e8d5cc42fb6 SHA256: 80666301663d20ed8277787182c71bf9777c133750bbb2d48db4ea54486a2ad7 |
|
|
| c:\users\5jghkoaofdp\videos\qpuchrfn1q.avi.frs | 19.56 KB |
MD5:
16d1e9b07d7ebdb1928add789187df60
SHA1: e566061d0ec7dd6027a86e3e215dd7c5c81c5163 SHA256: 6956e19c7388b79aa3239abefa096e7833c66582bcbf5b207229a8168ba20ad2 |
|
|
| c:\users\5jghkoaofdp\videos\qtjqn-h2jwkxcan.mp4.frs | 34.10 KB |
MD5:
3b208dcc47b65eb5b8eea43ae277bd88
SHA1: 1efc3ace15c60e25b308a46b1941d96ab5d19632 SHA256: 12aa78864146685cadf0434b460bde3a59184c692b20f1a748e5049694e9905d |
|
|
| c:\users\5jghkoaofdp\videos\qzrhrih83gk42.avi.frs | 44.18 KB |
MD5:
7603c131ea98c2de9585dd46668efa22
SHA1: 1d2ac7b661ac015bf0a70641fc13931c0bf1d033 SHA256: 64433447d319c9db1813bcb8d0f563d50c909913929b1ac79f0d17a7b0c042c5 |
|
|
| c:\users\5jghkoaofdp\videos\ttzk.avi.frs | 23.09 KB |
MD5:
fd0227079823b6fa9badb920924428f9
SHA1: 9ffd9d6058f96c5a267644674d625720a3b2438f SHA256: cb6a3223b93436d0e15e723506b684f504b965157d3ca893eec921be54cb8384 |
|
|
| c:\users\5jghkoaofdp\videos\x6ay-7vc33brcdpl.mkv.frs | 56.13 KB |
MD5:
d1072b0c575ce708b8124f1c10981b97
SHA1: 9ee24c8ac4c9ad02f6d094de08b79edec6437c7b SHA256: 2ec252623b1fb312d7c8416c97dcc0d678dcbac04c31705c68f5f24d0290f73e |
|
|
| c:\users\5jghkoaofdp\videos\_1pm viztec.avi.frs | 31.50 KB |
MD5:
6a87e0f4dd6ce2d23c4a7d38fb6feb2e
SHA1: 391de5f05a293d1c2d86b43e67bbf47f6f8d6fcd SHA256: 7e8cf77f934d36627522702ced4d4983b4463bb6aad2bca467f629e6b2544d2e |
|
|
| c:\users\5jghkoaofdp\pictures\aaera.png.frs | 72.65 KB |
MD5:
226d1c68aea9a856b252e01b0e4383d1
SHA1: ec8b8d0ce03a2d975e7bea6f6c6431fbfbc755d8 SHA256: 50bc834145ad60178d201b9b0ff8381dd2fc5c10ed5d7ba441b0c338d7552080 |
|
|
| c:\users\5jghkoaofdp\pictures\bpc_m3aamw.bmp.frs | 24.23 KB |
MD5:
ccb10db03248ae4400a7cc3018c5f0f9
SHA1: 8a836646613cae7048a488a247f8bde931b66931 SHA256: 7fe1b121d77d17a49297e086eaf8d0c686d2c510fc29256f37be878c9be0d6c3 |
|
|
| c:\users\5jghkoaofdp\pictures\dftnsfgtdnqy.bmp.frs | 19.33 KB |
MD5:
2a94ac9fd1c14d172dd881fd169bd9de
SHA1: 6682bb4c1c65245a08dd0f4d32e4b4f8e6bb1423 SHA256: 9655f08a129ad5f7147b146391354e410c5b4e70a97fa4a2b9e6fa1a996d8d98 |
|
|
| c:\users\5jghkoaofdp\pictures\q8xcgkv_0fans40lozvi.bmp.frs | 30.52 KB |
MD5:
260b77981b4d5c50d663269754e0ea9c
SHA1: ebc5024c86bf77ac92f66618df96e29d16164c35 SHA256: 64b175055b754e212c17c6491420381913705b3e5af12347d0b5a70c76c47852 |
|
|
Host Behavior
File (7474)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\AppData\Local\Temp\CCEP00EL.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
5 | |
| Create | C:\Users\5JGHKO~1\AppData\Local\Temp\CCEP00EL.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
21 | |
| Create | C:\Users\5JGHKO~1\AppData\Local\Temp\CCEP00EL.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
20 | |
| Create | C:\Users\5JGHKO~1\AppData\Local\Temp\CCEP00EL.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
6 | |
| Create | C:\FRS_TEMP\temp.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\FRS_Decryptor.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\READ_ME_HELP_ME.png | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\READ_ME_HELP_ME.txt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\Chinese_national_flag.png | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\5JGHKO~1\AppData\Local\Temp\CCEP00EL.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
4 | |
| Create | nul | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
33 | |
| Create | C:\Users\5JGHKO~1\AppData\Local\Temp\CCEP00EL.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
6 | |
| Create | C:\Users\5JGHKO~1\AppData\Local\Temp\CCEP00EL.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
10 | |
| Create | C:\Users\5JGHKO~1\AppData\Local\Temp\CCEP00EL.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
6 | |
| Create | C:\Users\5JGHKO~1\AppData\Local\Temp\CCEP00EL.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
6 | |
| Create | C:\Users\5JGHKO~1\AppData\Local\Temp\CCEP00EL.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
12 | |
| Create | C:\Users\5JGHKO~1\AppData\Local\Temp\CCEP00EL.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
12 | |
| Create | C:\Users\5JGHKO~1\AppData\Local\Temp\CCEP00EL.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
12 | |
| Create | C:\Users\5JGHKO~1\AppData\Local\Temp\CCEP00EL.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
6 | |
| Create | C:\Users\5JGHKO~1\AppData\Local\Temp\CCEP00EL.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
6 | |
| Create | C:\Users\5JGHKO~1\AppData\Local\Temp\CCEP00EL.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
6 | |
| Create | C:\Users\5JGHKO~1\AppData\Local\Temp\CCEP00EL.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
6 | |
| Create | C:\Users\5JGHKO~1\AppData\Local\Temp\CCEP00EL.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
6 | |
| Create Directory | C:\FRSRAMSOMWARE | - |
|
1 | |
| Create Directory | C:\FRS_TEMP | - |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
3 | |
| Get Info | "C:\Users\5JGHKO~1\AppData\Local\Temp\CCEP00EL.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
5 | |
| Get Info | - | type = file_type |
|
22 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
45 | |
| Get Info | - | type = size |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\*.* | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Saved Games\*.* | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Saved Games | type = file_attributes |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
6 | |
| Get Info | C:\Users\5JgHKoaOfdp\Links\*.* | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Links | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Favorites\*.* | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Favorites | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Searches\*.* | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Searches | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Videos\*.* | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Videos | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Pictures\*.* | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Pictures | type = file_attributes |
|
1 | |
| Get Info | C:\Users\Public\*.* | type = file_attributes |
|
2 | |
| Get Info | C:\Users\Public | type = file_attributes |
|
1 | |
| Get Info | C:\*.* | type = file_attributes |
|
2 | |
| Get Info | C:\ | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
21 | |
| Get Info | - | type = file_type |
|
14 | |
| Get Info | - | type = size |
|
1 | |
| Get Info | echo.encrypt | type = file_attributes |
|
1 | |
| Get Info | C:\FRS_TEMP\temp.txt | type = file_type |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\FRS_Decryptor.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\FRS_Decryptor.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\FRS_Decryptor.exe | type = file_attributes |
|
1 | |
| Get Info | System Paging File | type = file_type |
|
8 | |
| Get Info | C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\READ_ME_HELP_ME.png | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\READ_ME_HELP_ME.png | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\READ_ME_HELP_ME.png | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\READ_ME_HELP_ME.txt | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\READ_ME_HELP_ME.txt | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\READ_ME_HELP_ME.txt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\Chinese_national_flag.png | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\Chinese_national_flag.png | type = file_attributes |
|
2 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\Chinese_national_flag.png | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop\FRS.exe | type = file_attributes |
|
2 | |
| Get Info | C:\FRSRAMSOMWARE\FRS_Decryptor.exe | type = file_attributes |
|
2 | |
| Get Info | C:\FRSRAMSOMWARE\FRS_Decryptor.exe | type = file_attributes |
|
1 | |
| Get Info | C:\FRSRAMSOMWARE\READ_ME_HELP_ME.png | type = file_attributes |
|
2 | |
| Get Info | C:\FRSRAMSOMWARE\READ_ME_HELP_ME.png | type = file_attributes |
|
1 | |
| Get Info | C:\FRSRAMSOMWARE\READ_ME_HELP_ME.txt | type = file_attributes |
|
2 | |
| Get Info | C:\FRSRAMSOMWARE\READ_ME_HELP_ME.txt | type = file_attributes |
|
1 | |
| Get Info | C:\FRSRAMSOMWARE\Chinese_national_flag.png | type = file_attributes |
|
2 | |
| Get Info | C:\FRSRAMSOMWARE\Chinese_national_flag.png | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
4 | |
| Get Info | - | type = file_type |
|
73 | |
| Get Info | - | type = file_type |
|
146 | |
| Get Info | - | type = size |
|
3 | |
| Get Info | - | type = size |
|
2 | |
| Get Info | - | type = file_type |
|
140 | |
| Get Info | - | type = size |
|
2 | |
| Get Info | - | type = file_type |
|
140 | |
| Get Info | - | type = size |
|
4 | |
| Get Info | - | type = file_type |
|
280 | |
| Get Info | - | type = size |
|
1 | |
| Get Info | - | type = size |
|
4 | |
| Get Info | - | type = file_type |
|
280 | |
| Get Info | - | type = size |
|
4 | |
| Get Info | - | type = file_type |
|
280 | |
| Get Info | - | type = size |
|
2 | |
| Get Info | - | type = file_type |
|
140 | |
| Get Info | - | type = size |
|
2 | |
| Get Info | - | type = file_type |
|
140 | |
| Get Info | - | type = size |
|
2 | |
| Get Info | - | type = file_type |
|
140 | |
| Get Info | - | type = size |
|
2 | |
| Get Info | - | type = file_type |
|
140 | |
| Get Info | - | type = size |
|
2 | |
| Get Info | - | type = file_type |
|
140 | |
| Open | STD_OUTPUT_HANDLE | - |
|
274 | |
| Open | STD_INPUT_HANDLE | - |
|
121 | |
| Open | - | - |
|
20 | |
| Open | - | - |
|
75 | |
| Open | STD_ERROR_HANDLE | - |
|
22 | |
| Open | - | - |
|
48 | |
| Open | - | - |
|
24 | |
| Open | - | - |
|
16 | |
| Open | - | - |
|
8 | |
| Open | - | - |
|
82 | |
| Open | - | - |
|
164 | |
| Open | - | - |
|
153 | |
| Open | - | - |
|
153 | |
| Open | - | - |
|
305 | |
| Open | - | - |
|
304 | |
| Open | - | - |
|
304 | |
| Open | - | - |
|
152 | |
| Open | - | - |
|
152 | |
| Open | - | - |
|
152 | |
| Open | - | - |
|
152 | |
| Open | - | - |
|
152 | |
| Copy | C:\Users\5JgHKoaOfdp\Desktop\FRS_Decryptor.exe | source_filename = C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\FRS_Decryptor.exe |
|
1 | |
| Copy | C:\Users\5JgHKoaOfdp\Desktop\READ_ME_HELP_ME.png | source_filename = C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\READ_ME_HELP_ME.png |
|
1 | |
| Copy | C:\Users\5JgHKoaOfdp\Desktop\READ_ME_HELP_ME.txt | source_filename = C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\READ_ME_HELP_ME.txt |
|
1 | |
| Copy | C:\Users\5JgHKoaOfdp\Desktop\Chinese_national_flag.png | source_filename = C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\Chinese_national_flag.png |
|
1 | |
| Copy | C:\FRSRAMSOMWARE\FRS_Decryptor.exe | source_filename = C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\FRS_Decryptor.exe |
|
1 | |
| Copy | C:\FRSRAMSOMWARE\READ_ME_HELP_ME.png | source_filename = C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\READ_ME_HELP_ME.png |
|
1 | |
| Copy | C:\FRSRAMSOMWARE\READ_ME_HELP_ME.txt | source_filename = C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\READ_ME_HELP_ME.txt |
|
1 | |
| Copy | C:\FRSRAMSOMWARE\Chinese_national_flag.png | source_filename = C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\Chinese_national_flag.png |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\-TWyIUcq0.m4a.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\-TWyIUcq0.m4a, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\43r71_L4m.mp4.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\43r71_L4m.mp4, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\6EivHQj738.wav.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\6EivHQj738.wav, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\72iMq3oNH06hn.mp4.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\72iMq3oNH06hn.mp4, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\7HyTMOfQ-a8mF.ods.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\7HyTMOfQ-a8mF.ods, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\B-t7yDezo3M.png.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\B-t7yDezo3M.png, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\FRS.exe.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\FRS.exe, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\f_JdlbY.rtf.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\f_JdlbY.rtf, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\g3S4_wn8bNWcu.mp4.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\g3S4_wn8bNWcu.mp4, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\GUTLH6thWjyjtPP.ppt.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\GUTLH6thWjyjtPP.ppt, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\HxGDqRidEx_PFzYh_fbr.odt.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\HxGDqRidEx_PFzYh_fbr.odt, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\IW7VeAA.gif.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\IW7VeAA.gif, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\jBwZGAoQv2ah.flv.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\jBwZGAoQv2ah.flv, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\j_3Z6ryQ7L9U.m4a.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\j_3Z6ryQ7L9U.m4a, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\k5gVz.wav.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\k5gVz.wav, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\o0EPrPCoRNi4z.pdf.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\o0EPrPCoRNi4z.pdf, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\OU5cAUoh-hbI.mkv.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\OU5cAUoh-hbI.mkv, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\OumVIgDYioU8ucWTila.flv.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\OumVIgDYioU8ucWTila.flv, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\RbzJ46DM.m4a.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\RbzJ46DM.m4a, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\rpGEfLLKSK.m4a.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\rpGEfLLKSK.m4a, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\uc2U5SGsnmjJE2.pps.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\uc2U5SGsnmjJE2.pps, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\V7aFohjMdiyo.m4a.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\V7aFohjMdiyo.m4a, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\w5 xAs-kUM9kX.odp.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\w5 xAs-kUM9kX.odp, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\wu_4n34gRXa-1P.swf.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\wu_4n34gRXa-1P.swf, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\wYeepEITvrXcPBjj6.m4a.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\wYeepEITvrXcPBjj6.m4a, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\x 0yrdzRhLK5vrlqSe.flv.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\x 0yrdzRhLK5vrlqSe.flv, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Desktop\xA1kQSkcf8G.rtf.FRS | source_filename = C:\Users\5JgHKoaOfdp\Desktop\xA1kQSkcf8G.rtf, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Links\Desktop.lnk.FRS | source_filename = C:\Users\5JgHKoaOfdp\Links\Desktop.lnk, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Links\Downloads.lnk.FRS | source_filename = C:\Users\5JgHKoaOfdp\Links\Downloads.lnk, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Links\RecentPlaces.lnk.FRS | source_filename = C:\Users\5JgHKoaOfdp\Links\RecentPlaces.lnk, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Favorites\Bing.url.FRS | source_filename = C:\Users\5JgHKoaOfdp\Favorites\Bing.url, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Searches\winrt--{S-1-5-21-3643094112-4209292109-138530109-1001}-.searchconnector-ms.FRS | source_filename = C:\Users\5JgHKoaOfdp\Searches\winrt--{S-1-5-21-3643094112-4209292109-138530109-1001}-.searchconnector-ms, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Videos\3cYkmEN1QsqDL.avi.FRS | source_filename = C:\Users\5JgHKoaOfdp\Videos\3cYkmEN1QsqDL.avi, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Videos\4 eVMh.flv.FRS | source_filename = C:\Users\5JgHKoaOfdp\Videos\4 eVMh.flv, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Videos\75rmilKeT_cE3woc7.mkv.FRS | source_filename = C:\Users\5JgHKoaOfdp\Videos\75rmilKeT_cE3woc7.mkv, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Videos\8tPCnCitib7vSPP8vwp.flv.FRS | source_filename = C:\Users\5JgHKoaOfdp\Videos\8tPCnCitib7vSPP8vwp.flv, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Videos\c0W0rxzRwZ.swf.FRS | source_filename = C:\Users\5JgHKoaOfdp\Videos\c0W0rxzRwZ.swf, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Videos\cZF7I.swf.FRS | source_filename = C:\Users\5JgHKoaOfdp\Videos\cZF7I.swf, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Videos\dL_eqDExsJoZJ_texJ21.flv.FRS | source_filename = C:\Users\5JgHKoaOfdp\Videos\dL_eqDExsJoZJ_texJ21.flv, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Videos\F5szn_EaYBFCsfN.avi.FRS | source_filename = C:\Users\5JgHKoaOfdp\Videos\F5szn_EaYBFCsfN.avi, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Videos\f7Q9Iv6Zau.swf.FRS | source_filename = C:\Users\5JgHKoaOfdp\Videos\f7Q9Iv6Zau.swf, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Videos\hLWevmAs58agwM.flv.FRS | source_filename = C:\Users\5JgHKoaOfdp\Videos\hLWevmAs58agwM.flv, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Videos\L 1ID.mkv.FRS | source_filename = C:\Users\5JgHKoaOfdp\Videos\L 1ID.mkv, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Videos\nuWem4__4.mp4.FRS | source_filename = C:\Users\5JgHKoaOfdp\Videos\nuWem4__4.mp4, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Videos\OHC _CGoPCkuxz.avi.FRS | source_filename = C:\Users\5JgHKoaOfdp\Videos\OHC _CGoPCkuxz.avi, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Videos\qPuChrfn1q.avi.FRS | source_filename = C:\Users\5JgHKoaOfdp\Videos\qPuChrfn1q.avi, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Videos\qTJQn-H2jwKxCan.mp4.FRS | source_filename = C:\Users\5JgHKoaOfdp\Videos\qTJQn-H2jwKxCan.mp4, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Videos\QZRHrIh83gk42.avi.FRS | source_filename = C:\Users\5JgHKoaOfdp\Videos\QZRHrIh83gk42.avi, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Videos\TtZk.avi.FRS | source_filename = C:\Users\5JgHKoaOfdp\Videos\TtZk.avi, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Videos\x6AY-7VC33bRCdpL.mkv.FRS | source_filename = C:\Users\5JgHKoaOfdp\Videos\x6AY-7VC33bRCdpL.mkv, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Videos\_1pm VIZTec.avi.FRS | source_filename = C:\Users\5JgHKoaOfdp\Videos\_1pm VIZTec.avi, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Pictures\AaERa.png.FRS | source_filename = C:\Users\5JgHKoaOfdp\Pictures\AaERa.png, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Pictures\bpC_m3AaMw.bmp.FRS | source_filename = C:\Users\5JgHKoaOfdp\Pictures\bpC_m3AaMw.bmp, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Pictures\DftnsFgTdnQy.bmp.FRS | source_filename = C:\Users\5JgHKoaOfdp\Pictures\DftnsFgTdnQy.bmp, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Move | C:\Users\5JgHKoaOfdp\Pictures\q8XcgkV_0fAns40lOzVi.bmp.FRS | source_filename = C:\Users\5JgHKoaOfdp\Pictures\q8XcgkV_0fAns40lOzVi.bmp, flags = MOVEFILE_COPY_ALLOWED |
|
1 | |
| Read | - | size = 8191, size_out = 2670 |
|
1 | |
| Read | - | size = 8191, size_out = 2662 |
|
1 | |
| Read | - | size = 8191, size_out = 2651 |
|
1 | |
| Read | - | size = 8191, size_out = 2649 |
|
1 | |
| Read | - | size = 8191, size_out = 2645 |
|
1 | |
| Read | - | size = 8191, size_out = 2572 |
|
1 | |
| Read | - | size = 8191, size_out = 2540 |
|
1 | |
| Read | - | size = 8191, size_out = 2535 |
|
1 | |
| Read | - | size = 512, size_out = 512 |
|
2 | |
| Read | - | size = 8191, size_out = 2521 |
|
1 | |
| Read | - | size = 8191, size_out = 2474 |
|
1 | |
| Read | - | size = 8191, size_out = 2423 |
|
1 | |
| Read | - | size = 8191, size_out = 2378 |
|
1 | |
| Read | - | size = 8191, size_out = 2329 |
|
1 | |
| Read | - | size = 8191, size_out = 2281 |
|
1 | |
| Read | - | size = 8191, size_out = 2235 |
|
1 | |
| Read | - | size = 8191, size_out = 2187 |
|
1 | |
| Read | - | size = 8191, size_out = 2152 |
|
1 | |
| Read | - | size = 8191, size_out = 2130 |
|
1 | |
| Read | - | size = 8191, size_out = 2108 |
|
1 | |
| Read | - | size = 8191, size_out = 2086 |
|
1 | |
| Read | - | size = 8191, size_out = 2064 |
|
1 | |
| Read | - | size = 8191, size_out = 2001 |
|
1 | |
| Read | - | size = 8191, size_out = 1934 |
|
1 | |
| Read | - | size = 8191, size_out = 1873 |
|
1 | |
| Read | - | size = 8191, size_out = 1808 |
|
1 | |
| Read | - | size = 8191, size_out = 1744 |
|
1 | |
| Read | - | size = 8191, size_out = 1682 |
|
1 | |
| Read | - | size = 8191, size_out = 1618 |
|
1 | |
| Read | - | size = 8191, size_out = 1567 |
|
1 | |
| Read | - | size = 8191, size_out = 1515 |
|
1 | |
| Read | - | size = 8191, size_out = 1477 |
|
1 | |
| Read | - | size = 8191, size_out = 1439 |
|
1 | |
| Read | - | size = 8191, size_out = 1401 |
|
1 | |
| Read | - | size = 8191, size_out = 1363 |
|
1 | |
| Read | - | size = 512, size_out = 512 |
|
2 | |
| Read | - | size = 8191, size_out = 1349 |
|
1 | |
| Read | - | size = 8191, size_out = 1328 |
|
1 | |
| Read | - | size = 8191, size_out = 1291 |
|
1 | |
| Read | - | size = 8191, size_out = 1275 |
|
1 | |
| Read | - | size = 8191, size_out = 1243 |
|
1 | |
| Read | - | size = 8191, size_out = 1208 |
|
1 | |
| Read | - | size = 512, size_out = 512 |
|
8 | |
| Read | - | size = 8191, size_out = 1128 |
|
1 | |
| Read | - | size = 8191, size_out = 1044 |
|
1 | |
| Read | - | size = 8191, size_out = 960 |
|
1 | |
| Read | - | size = 8191, size_out = 864 |
|
1 | |
| Read | - | size = 8191, size_out = 830 |
|
1 | |
| Read | - | size = 8191, size_out = 733 |
|
1 | |
| Read | - | size = 8191, size_out = 664 |
|
1 | |
| Read | - | size = 8191, size_out = 591 |
|
1 | |
| Read | - | size = 8191, size_out = 518 |
|
1 | |
| Read | - | size = 8191, size_out = 433 |
|
1 | |
| Read | - | size = 8191, size_out = 390 |
|
1 | |
| Read | - | size = 8191, size_out = 368 |
|
1 | |
| Read | - | size = 8191, size_out = 331 |
|
1 | |
| Read | - | size = 8191, size_out = 309 |
|
1 | |
| Read | - | size = 8191, size_out = 287 |
|
1 | |
| Read | - | size = 8191, size_out = 250 |
|
1 | |
| Read | - | size = 8191, size_out = 228 |
|
1 | |
| Read | - | size = 8191, size_out = 193 |
|
1 | |
| Read | - | size = 512, size_out = 185 |
|
3 | |
| Read | - | size = 512, size_out = 183 |
|
3 | |
| Read | - | size = 8191, size_out = 179 |
|
3 | |
| Read | - | size = 8191, size_out = 158 |
|
3 | |
| Read | - | size = 8191, size_out = 85 |
|
3 | |
| Read | - | size = 512, size_out = 43 |
|
2 | |
| Read | - | size = 512, size_out = 8 |
|
2 | |
| Read | - | size = 512, size_out = 0 |
|
2 | |
| Read | - | size = 512, size_out = 512 |
|
106 | |
| Read | - | size = 512, size_out = 433 |
|
2 | |
| Read | - | size = 512, size_out = 390 |
|
2 | |
| Read | - | size = 512, size_out = 368 |
|
2 | |
| Read | - | size = 512, size_out = 331 |
|
2 | |
| Read | - | size = 512, size_out = 309 |
|
2 | |
| Read | - | size = 512, size_out = 287 |
|
2 | |
| Read | - | size = 512, size_out = 250 |
|
2 | |
| Read | - | size = 512, size_out = 228 |
|
2 | |
| Read | - | size = 512, size_out = 193 |
|
2 | |
| Read | - | size = 512, size_out = 185 |
|
2 | |
| Read | - | size = 512, size_out = 183 |
|
2 | |
| Read | - | size = 8191, size_out = 179 |
|
2 | |
| Read | - | size = 8191, size_out = 158 |
|
2 | |
| Read | - | size = 8191, size_out = 85 |
|
2 | |
| Read | - | size = 512, size_out = 43 |
|
2 | |
| Read | - | size = 512, size_out = 8 |
|
2 | |
| Read | - | size = 512, size_out = 0 |
|
2 | |
| Read | - | size = 512, size_out = 512 |
|
106 | |
| Read | - | size = 512, size_out = 433 |
|
2 | |
| Read | - | size = 512, size_out = 390 |
|
2 | |
| Read | - | size = 512, size_out = 368 |
|
2 | |
| Read | - | size = 512, size_out = 331 |
|
2 | |
| Read | - | size = 512, size_out = 309 |
|
2 | |
| Read | - | size = 512, size_out = 287 |
|
2 | |
| Read | - | size = 512, size_out = 250 |
|
2 | |
| Read | - | size = 512, size_out = 228 |
|
2 | |
| Read | - | size = 512, size_out = 193 |
|
2 | |
| Read | - | size = 512, size_out = 185 |
|
2 | |
| Read | - | size = 512, size_out = 183 |
|
2 | |
| Read | - | size = 8191, size_out = 179 |
|
2 | |
| Read | - | size = 8191, size_out = 158 |
|
2 | |
| Read | - | size = 8191, size_out = 85 |
|
2 | |
| Read | - | size = 512, size_out = 43 |
|
4 | |
| Read | - | size = 512, size_out = 8 |
|
4 | |
| Read | - | size = 512, size_out = 0 |
|
4 | |
| Read | - | size = 512, size_out = 512 |
|
212 | |
| Read | - | size = 512, size_out = 433 |
|
4 | |
| Read | - | size = 512, size_out = 390 |
|
4 | |
| Read | - | size = 512, size_out = 368 |
|
4 | |
| Read | - | size = 512, size_out = 331 |
|
4 | |
| Read | - | size = 512, size_out = 309 |
|
4 | |
| Read | - | size = 512, size_out = 287 |
|
4 | |
| Read | - | size = 512, size_out = 250 |
|
4 | |
| Read | - | size = 512, size_out = 228 |
|
4 | |
| Read | - | size = 512, size_out = 193 |
|
4 | |
| Read | - | size = 512, size_out = 185 |
|
4 | |
| Read | - | size = 512, size_out = 183 |
|
4 | |
| Read | - | size = 8191, size_out = 179 |
|
4 | |
| Read | - | size = 8191, size_out = 158 |
|
4 | |
| Read | - | size = 8191, size_out = 85 |
|
4 | |
| Read | - | size = 512, size_out = 43 |
|
1 | |
| Read | - | size = 512, size_out = 8 |
|
1 | |
| Read | - | size = 512, size_out = 0 |
|
1 | |
| Read | - | size = 512, size_out = 512 |
|
53 | |
| Read | - | size = 512, size_out = 433 |
|
1 | |
| Read | - | size = 512, size_out = 390 |
|
1 | |
| Read | - | size = 512, size_out = 368 |
|
1 | |
| Read | - | size = 512, size_out = 331 |
|
1 | |
| Read | - | size = 512, size_out = 309 |
|
1 | |
| Read | - | size = 512, size_out = 287 |
|
1 | |
| Read | - | size = 512, size_out = 250 |
|
1 | |
| Read | - | size = 512, size_out = 228 |
|
1 | |
| Read | - | size = 512, size_out = 193 |
|
1 | |
| Read | - | size = 512, size_out = 185 |
|
1 | |
| Read | - | size = 512, size_out = 183 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 158 |
|
1 | |
| Read | - | size = 8191, size_out = 85 |
|
1 | |
| Read | - | size = 512, size_out = 43 |
|
2 | |
| Read | - | size = 512, size_out = 8 |
|
2 | |
| Read | - | size = 512, size_out = 0 |
|
2 | |
| Read | - | size = 512, size_out = 512 |
|
106 | |
| Read | - | size = 512, size_out = 433 |
|
2 | |
| Read | - | size = 512, size_out = 390 |
|
2 | |
| Read | - | size = 512, size_out = 368 |
|
2 | |
| Read | - | size = 512, size_out = 331 |
|
2 | |
| Read | - | size = 512, size_out = 309 |
|
2 | |
| Read | - | size = 512, size_out = 287 |
|
2 | |
| Read | - | size = 512, size_out = 250 |
|
2 | |
| Read | - | size = 512, size_out = 228 |
|
2 | |
| Read | - | size = 512, size_out = 193 |
|
2 | |
| Read | - | size = 512, size_out = 43 |
|
4 | |
| Read | - | size = 512, size_out = 8 |
|
4 | |
| Read | - | size = 512, size_out = 0 |
|
4 | |
| Read | - | size = 512, size_out = 512 |
|
212 | |
| Read | - | size = 512, size_out = 433 |
|
4 | |
| Read | - | size = 512, size_out = 390 |
|
4 | |
| Read | - | size = 512, size_out = 368 |
|
4 | |
| Read | - | size = 512, size_out = 331 |
|
4 | |
| Read | - | size = 512, size_out = 309 |
|
4 | |
| Read | - | size = 512, size_out = 287 |
|
4 | |
| Read | - | size = 512, size_out = 250 |
|
4 | |
| Read | - | size = 512, size_out = 228 |
|
4 | |
| Read | - | size = 512, size_out = 193 |
|
4 | |
| Read | - | size = 512, size_out = 185 |
|
4 | |
| Read | - | size = 512, size_out = 183 |
|
4 | |
| Read | - | size = 8191, size_out = 179 |
|
4 | |
| Read | - | size = 8191, size_out = 158 |
|
4 | |
| Read | - | size = 8191, size_out = 85 |
|
4 | |
| Read | - | size = 512, size_out = 43 |
|
4 | |
| Read | - | size = 512, size_out = 8 |
|
4 | |
| Read | - | size = 512, size_out = 0 |
|
4 | |
| Read | - | size = 512, size_out = 512 |
|
212 | |
| Read | - | size = 512, size_out = 433 |
|
4 | |
| Read | - | size = 512, size_out = 390 |
|
4 | |
| Read | - | size = 512, size_out = 368 |
|
4 | |
| Read | - | size = 512, size_out = 331 |
|
4 | |
| Read | - | size = 512, size_out = 309 |
|
4 | |
| Read | - | size = 512, size_out = 287 |
|
4 | |
| Read | - | size = 512, size_out = 250 |
|
4 | |
| Read | - | size = 512, size_out = 228 |
|
4 | |
| Read | - | size = 512, size_out = 193 |
|
4 | |
| Read | - | size = 512, size_out = 185 |
|
4 | |
| Read | - | size = 512, size_out = 183 |
|
4 | |
| Read | - | size = 8191, size_out = 179 |
|
4 | |
| Read | - | size = 8191, size_out = 158 |
|
4 | |
| Read | - | size = 8191, size_out = 85 |
|
4 | |
| Read | - | size = 512, size_out = 43 |
|
2 | |
| Read | - | size = 512, size_out = 8 |
|
2 | |
| Read | - | size = 512, size_out = 0 |
|
2 | |
| Read | - | size = 512, size_out = 512 |
|
106 | |
| Read | - | size = 512, size_out = 433 |
|
2 | |
| Read | - | size = 512, size_out = 390 |
|
2 | |
| Read | - | size = 512, size_out = 368 |
|
2 | |
| Read | - | size = 512, size_out = 331 |
|
2 | |
| Read | - | size = 512, size_out = 309 |
|
2 | |
| Read | - | size = 512, size_out = 287 |
|
2 | |
| Read | - | size = 512, size_out = 250 |
|
2 | |
| Read | - | size = 512, size_out = 228 |
|
2 | |
| Read | - | size = 512, size_out = 193 |
|
2 | |
| Read | - | size = 512, size_out = 185 |
|
2 | |
| Read | - | size = 512, size_out = 183 |
|
2 | |
| Read | - | size = 8191, size_out = 179 |
|
2 | |
| Read | - | size = 8191, size_out = 158 |
|
2 | |
| Read | - | size = 8191, size_out = 85 |
|
2 | |
| Read | - | size = 512, size_out = 43 |
|
2 | |
| Read | - | size = 512, size_out = 8 |
|
2 | |
| Read | - | size = 512, size_out = 0 |
|
2 | |
| Read | - | size = 512, size_out = 512 |
|
106 | |
| Read | - | size = 512, size_out = 433 |
|
2 | |
| Read | - | size = 512, size_out = 390 |
|
2 | |
| Read | - | size = 512, size_out = 368 |
|
2 | |
| Read | - | size = 512, size_out = 331 |
|
2 | |
| Read | - | size = 512, size_out = 309 |
|
2 | |
| Read | - | size = 512, size_out = 287 |
|
2 | |
| Read | - | size = 512, size_out = 250 |
|
2 | |
| Read | - | size = 512, size_out = 228 |
|
2 | |
| Read | - | size = 512, size_out = 193 |
|
2 | |
| Read | - | size = 512, size_out = 185 |
|
2 | |
| Read | - | size = 512, size_out = 183 |
|
2 | |
| Read | - | size = 8191, size_out = 179 |
|
2 | |
| Read | - | size = 8191, size_out = 158 |
|
2 | |
| Read | - | size = 8191, size_out = 85 |
|
2 | |
| Read | - | size = 512, size_out = 43 |
|
2 | |
| Read | - | size = 512, size_out = 8 |
|
2 | |
| Read | - | size = 512, size_out = 0 |
|
2 | |
| Read | - | size = 512, size_out = 512 |
|
106 | |
| Read | - | size = 512, size_out = 433 |
|
2 | |
| Read | - | size = 512, size_out = 390 |
|
2 | |
| Read | - | size = 512, size_out = 368 |
|
2 | |
| Read | - | size = 512, size_out = 331 |
|
2 | |
| Read | - | size = 512, size_out = 309 |
|
2 | |
| Read | - | size = 512, size_out = 287 |
|
2 | |
| Read | - | size = 512, size_out = 250 |
|
2 | |
| Read | - | size = 512, size_out = 228 |
|
2 | |
| Read | - | size = 512, size_out = 193 |
|
2 | |
| Read | - | size = 512, size_out = 185 |
|
2 | |
| Read | - | size = 512, size_out = 183 |
|
2 | |
| Read | - | size = 8191, size_out = 179 |
|
2 | |
| Read | - | size = 8191, size_out = 158 |
|
2 | |
| Read | - | size = 8191, size_out = 85 |
|
2 | |
| Read | - | size = 512, size_out = 43 |
|
2 | |
| Read | - | size = 512, size_out = 8 |
|
2 | |
| Read | - | size = 512, size_out = 0 |
|
2 | |
| Read | - | size = 512, size_out = 512 |
|
106 | |
| Read | - | size = 512, size_out = 433 |
|
2 | |
| Read | - | size = 512, size_out = 390 |
|
2 | |
| Read | - | size = 512, size_out = 368 |
|
2 | |
| Read | - | size = 512, size_out = 331 |
|
2 | |
| Read | - | size = 512, size_out = 309 |
|
2 | |
| Read | - | size = 512, size_out = 287 |
|
2 | |
| Read | - | size = 512, size_out = 250 |
|
2 | |
| Read | - | size = 512, size_out = 228 |
|
2 | |
| Read | - | size = 512, size_out = 193 |
|
2 | |
| Read | - | size = 512, size_out = 185 |
|
2 | |
| Read | - | size = 512, size_out = 183 |
|
2 | |
| Read | - | size = 8191, size_out = 179 |
|
2 | |
| Read | - | size = 8191, size_out = 158 |
|
2 | |
| Read | - | size = 8191, size_out = 85 |
|
2 | |
| Read | - | size = 512, size_out = 43 |
|
2 | |
| Read | - | size = 512, size_out = 8 |
|
2 | |
| Read | - | size = 512, size_out = 0 |
|
2 | |
| Read | - | size = 512, size_out = 512 |
|
106 | |
| Read | - | size = 512, size_out = 433 |
|
2 | |
| Read | - | size = 512, size_out = 390 |
|
2 | |
| Read | - | size = 512, size_out = 368 |
|
2 | |
| Read | - | size = 512, size_out = 331 |
|
2 | |
| Read | - | size = 512, size_out = 309 |
|
2 | |
| Read | - | size = 512, size_out = 287 |
|
2 | |
| Read | - | size = 512, size_out = 250 |
|
2 | |
| Read | - | size = 512, size_out = 228 |
|
2 | |
| Read | - | size = 512, size_out = 193 |
|
2 | |
| Read | - | size = 512, size_out = 185 |
|
2 | |
| Read | - | size = 512, size_out = 183 |
|
2 | |
| Read | - | size = 8191, size_out = 179 |
|
2 | |
| Read | - | size = 8191, size_out = 158 |
|
2 | |
| Read | - | size = 8191, size_out = 85 |
|
2 | |
| Write | STD_ERROR_HANDLE | size = 41 |
|
3 | |
| Write | STD_ERROR_HANDLE | size = 45 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 27 |
|
8 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 140, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (97)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x3d4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xb0c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xb48, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xb50, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xb58, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xb60, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xb68, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xb70, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xb78, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xb80, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xb88, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xb90, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xb98, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xba0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xbc4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xbd0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xbd8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xbe0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x974, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x8d8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xb40, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cacls.exe | os_pid = 0xb44, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x6b8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x770, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cmd.exe | os_pid = 0x9a4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\cacls.exe | os_pid = 0x6b0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\attrib.exe | os_pid = 0x810, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\attrib.exe | os_pid = 0x728, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\Chinese_national_flag.png | os_pid = 0x0, creation_flags = CREATE_NEW_CONSOLE, CREATE_UNICODE_ENVIRONMENT, CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0x93c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\READ_ME_HELP_ME.txt | os_pid = 0x0, creation_flags = CREATE_NEW_CONSOLE, CREATE_UNICODE_ENVIRONMENT, CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0x408, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0xa88, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\READ_ME_HELP_ME.png | os_pid = 0x0, creation_flags = CREATE_NEW_CONSOLE, CREATE_UNICODE_ENVIRONMENT, CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0xaf8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\FRS_Decryptor.exe | os_pid = 0x94c, creation_flags = CREATE_NEW_CONSOLE, CREATE_UNICODE_ENVIRONMENT, CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0x968, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
30 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0x7f4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0xb48, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0xb84, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0xbd4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0xb44, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0x9c0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0x5e8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0xbb4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0x860, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0x4c8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0xaa8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0x37c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0x804, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0x12c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0x4e8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0x3d4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0xb74, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0xba4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0x820, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0x118, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0xa48, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0x9c0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0x22c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0x8e8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0x934, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0x8fc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0x844, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0x648, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\PING.EXE | os_pid = 0xa98, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Thread (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Resume | c:\windows\syswow64\cmd.exe | os_tid = 0xa6c |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (539)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
138 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
100 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
118 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
14 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = e |
|
1 | |
| Get Environment String | name = USERNAME, result_out = 5JgHKoaOfdp |
|
14 | |
| Get Environment String | name = MYFILES, result_out = C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F |
|
12 | |
| Get Environment String | name = username, result_out = 5JgHKoaOfdp |
|
4 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
62 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
35 | |
| Set Environment String | name = =ExitCodeAscii |
|
36 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #4: cmd.exe
51
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c find "e" "C:\FRS_TEMP\temp.txt" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:34, Reason: Child Process |
| Unmonitor | End Time: 00:01:42, Reason: Self Terminated |
| Monitor Duration | 00:01:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xabc |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ACC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003c0000 | 0x003c0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003fefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x00543fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x00550fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x00561fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x005e0000 | 0x0065dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x008cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00a90000 | 0x00d64fff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ed10000 | 0x7ed10000 | 0x7ee0ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ee10000 | 0x7ee10000 | 0x7ee32fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ee3a000 | 0x7ee3a000 | 0x7ee3afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee3c000 | 0x7ee3c000 | 0x7ee3efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee3f000 | 0x7ee3f000 | 0x7ee3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 178, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\find.exe | os_pid = 0xadc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #5: find.exe
0
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find "e" "C:\FRS_TEMP\temp.txt" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:34, Reason: Child Process |
| Unmonitor | End Time: 00:01:42, Reason: Self Terminated |
| Monitor Duration | 00:01:08 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xadc |
| Parent PID | 0xabc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AEC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00cdffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000cc0000 | 0x00cc0000 | 0x00ccffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00cd3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00ce1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00ce3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000cf0000 | 0x00cf0000 | 0x00cfefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00d7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x00d83fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000d90000 | 0x00d90000 | 0x00d90fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00da1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00db0000 | 0x00e2dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x010effff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001330000 | 0x01330000 | 0x0133ffff | Private Memory | Readable, Writable |
|
|
|
- |
| fsutilext.dll | 0x747e0000 | 0x747eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ulib.dll | 0x747f0000 | 0x74810fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f080000 | 0x7f080000 | 0x7f17ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f180000 | 0x7f180000 | 0x7f1a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f1a4000 | 0x7f1a4000 | 0x7f1a4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f1a7000 | 0x7f1a7000 | 0x7f1a7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f1ad000 | 0x7f1ad000 | 0x7f1affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #6: cmd.exe
46
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /S /D /c" echo y" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:01:42, Reason: Self Terminated |
| Monitor Duration | 00:01:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3d4 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000008c0000 | 0x008c0000 | 0x008dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x008cffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x008d3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x008e1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x008fefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x0093ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x00a3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x00a43fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a50000 | 0x00a50000 | 0x00a50fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a61fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00a70000 | 0x00aedfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00b9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00ebffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ede0000 | 0x7ede0000 | 0x7eedffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007eee0000 | 0x7eee0000 | 0x7ef02fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ef06000 | 0x7ef06000 | 0x7ef06fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef0c000 | 0x7ef0c000 | 0x7ef0efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef0f000 | 0x7ef0f000 | 0x7ef0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (12)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
6 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 |
Process #7: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Users\5JgHKoaOfdp\Desktop\*.*" /e /d everyone |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:01:45, Reason: Self Terminated |
| Monitor Duration | 00:01:10 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb0c |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000004b0000 | 0x004b0000 | 0x004cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x004bffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004c3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x004d1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x004eefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x0052ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0056ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x00573fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00580fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x00591fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x005a0000 | 0x0061dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0063ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0073ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cacls.exe | 0x00b30000 | 0x00b39fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x747f0000 | 0x74814fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ef30000 | 0x7ef30000 | 0x7f02ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f030000 | 0x7f030000 | 0x7f052fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f058000 | 0x7f058000 | 0x7f058fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f05b000 | 0x7f05b000 | 0x7f05bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f05d000 | 0x7f05d000 | 0x7f05ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #8: cmd.exe
46
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /S /D /c" echo y" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:01:45, Reason: Self Terminated |
| Monitor Duration | 00:01:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb48 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000350000 | 0x00350000 | 0x0036ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x0035ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x00363fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x00371fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x0038efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x003cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x004cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x004d3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x004e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004f1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00500000 | 0x0057dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0068ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x0079ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e960000 | 0x7e960000 | 0x7ea5ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ea60000 | 0x7ea60000 | 0x7ea82fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ea8b000 | 0x7ea8b000 | 0x7ea8dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ea8e000 | 0x7ea8e000 | 0x7ea8efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ea8f000 | 0x7ea8f000 | 0x7ea8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (12)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
6 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 178, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 |
Process #9: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Users\5JgHKoaOfdp\Saved Games\*.*" /e /d everyone |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:01:44, Reason: Self Terminated |
| Monitor Duration | 00:01:09 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb50 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B54
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000360000 | 0x00360000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x0036ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x00373fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x00381fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x00383fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000390000 | 0x00390000 | 0x0039efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x0041ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x00423fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00430fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x00441fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00452fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00460fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| cacls.exe.mui | 0x00470000 | 0x00471fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x005effff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x005f0000 | 0x0066dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007cffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x007d0000 | 0x00aa4fff | Memory Mapped File | Readable |
|
|
|
- |
| cacls.exe | 0x00b30000 | 0x00b39fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x747f0000 | 0x74814fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f5a0000 | 0x7f5a0000 | 0x7f69ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f6a0000 | 0x7f6a0000 | 0x7f6c2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f6c8000 | 0x7f6c8000 | 0x7f6c8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f6ca000 | 0x7f6ca000 | 0x7f6cafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f6cd000 | 0x7f6cd000 | 0x7f6cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #10: cmd.exe
46
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /S /D /c" echo y" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:01:45, Reason: Self Terminated |
| Monitor Duration | 00:01:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb58 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B5C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000c20000 | 0x00c20000 | 0x00c3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c20000 | 0x00c20000 | 0x00c2ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00c33fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c41fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c50000 | 0x00c50000 | 0x00c5efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00d9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000da0000 | 0x00da0000 | 0x00da3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000db0000 | 0x00db0000 | 0x00db0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dc1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00dd0000 | 0x00e4dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x00f2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001060000 | 0x01060000 | 0x0106ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001120000 | 0x01120000 | 0x0121ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f450000 | 0x7f450000 | 0x7f54ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f550000 | 0x7f550000 | 0x7f572fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f57b000 | 0x7f57b000 | 0x7f57bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f57c000 | 0x7f57c000 | 0x7f57efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f57f000 | 0x7f57f000 | 0x7f57ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (12)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
6 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 44, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 |
Process #11: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Users\5JgHKoaOfdp\Links\*.*" /e /d everyone |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:01:46, Reason: Self Terminated |
| Monitor Duration | 00:01:11 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb60 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B64
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00b30000 | 0x00b39fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x00b6ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b73fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b81fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b83fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b90000 | 0x00b90000 | 0x00b9efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00bdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00c1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c20000 | 0x00c20000 | 0x00c23fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000c30000 | 0x00c30000 | 0x00c30fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c41fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c50000 | 0x00c50000 | 0x00c52fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000c60000 | 0x00c60000 | 0x00c60fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| cacls.exe.mui | 0x00c70000 | 0x00c71fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00ca0000 | 0x00d1dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00d9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00ebffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00ec0000 | 0x01194fff | Memory Mapped File | Readable |
|
|
|
- |
| ntmarta.dll | 0x747f0000 | 0x74814fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eea0000 | 0x7eea0000 | 0x7ef9ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efa0000 | 0x7efa0000 | 0x7efc2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efc4000 | 0x7efc4000 | 0x7efc4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efca000 | 0x7efca000 | 0x7efcafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efcd000 | 0x7efcd000 | 0x7efcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #12: cmd.exe
46
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /S /D /c" echo y" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:01:48, Reason: Self Terminated |
| Monitor Duration | 00:01:13 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb68 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B6C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000510000 | 0x00510000 | 0x0052ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x0051ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x00523fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x00531fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x0054efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0058ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x0068ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00693fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x006a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x006c0000 | 0x0073dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x0077ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0095ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e790000 | 0x7e790000 | 0x7e88ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e890000 | 0x7e890000 | 0x7e8b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e8b7000 | 0x7e8b7000 | 0x7e8b9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e8ba000 | 0x7e8ba000 | 0x7e8bafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e8bd000 | 0x7e8bd000 | 0x7e8bdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (12)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
6 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 178, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 |
Process #13: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Users\5JgHKoaOfdp\Favorites\*.*" /e /d everyone |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:01:48, Reason: Self Terminated |
| Monitor Duration | 00:01:13 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb70 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B74
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000009a0000 | 0x009a0000 | 0x009bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x009affff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009b3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009c3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x009defff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00a1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x00a63fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00a70fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a81fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00a90000 | 0x00b0dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000b10000 | 0x00b10000 | 0x00b12fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000b20000 | 0x00b20000 | 0x00b20fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| cacls.exe | 0x00b30000 | 0x00b39fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cacls.exe.mui | 0x00b40000 | 0x00b41fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c80000 | 0x00c80000 | 0x00c8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00f2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00f30000 | 0x01204fff | Memory Mapped File | Readable |
|
|
|
- |
| ntmarta.dll | 0x747f0000 | 0x74814fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f670000 | 0x7f670000 | 0x7f76ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f770000 | 0x7f770000 | 0x7f792fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f796000 | 0x7f796000 | 0x7f796fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f79a000 | 0x7f79a000 | 0x7f79afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f79d000 | 0x7f79d000 | 0x7f79ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #14: cmd.exe
46
0
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /S /D /c" echo y" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:01:48, Reason: Self Terminated |
| Monitor Duration | 00:01:13 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb78 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B7C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000d30000 | 0x00d30000 | 0x00d4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d30000 | 0x00d30000 | 0x00d3ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00d43fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d51fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d60000 | 0x00d60000 | 0x00d6efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00daffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00eaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000eb0000 | 0x00eb0000 | 0x00eb3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ec0000 | 0x00ec0000 | 0x00ec0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00ed1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x00f2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00f30000 | 0x00fadfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001060000 | 0x01060000 | 0x0115ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001220000 | 0x01220000 | 0x0122ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f060000 | 0x7f060000 | 0x7f15ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f160000 | 0x7f160000 | 0x7f182fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f188000 | 0x7f188000 | 0x7f18afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f18b000 | 0x7f18b000 | 0x7f18bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f18d000 | 0x7f18d000 | 0x7f18dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (12)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
6 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 44, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 |
Process #15: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Users\5JgHKoaOfdp\Searches\*.*" /e /d everyone |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:01:50, Reason: Self Terminated |
| Monitor Duration | 00:01:15 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb80 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000590000 | 0x00590000 | 0x005affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x005cefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x0060ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0064ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x00653fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x00660fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x00671fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0069ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cacls.exe | 0x00b30000 | 0x00b39fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ee20000 | 0x7ee20000 | 0x7ee42fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ee45000 | 0x7ee45000 | 0x7ee45fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee48000 | 0x7ee48000 | 0x7ee48fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee4d000 | 0x7ee4d000 | 0x7ee4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #16: cmd.exe
46
0
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /S /D /c" echo y" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:01:50, Reason: Self Terminated |
| Monitor Duration | 00:01:15 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb88 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B8C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000910000 | 0x00910000 | 0x0092ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x0091ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x00923fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00931fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x0094efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0098ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x00a8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x00a93fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x00aa0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00ab1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00ac0000 | 0x00b3dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00bbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00e1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ef90000 | 0x7ef90000 | 0x7f08ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f090000 | 0x7f090000 | 0x7f0b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0ba000 | 0x7f0ba000 | 0x7f0bafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0bc000 | 0x7f0bc000 | 0x7f0befff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0bf000 | 0x7f0bf000 | 0x7f0bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (12)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
6 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 |
Process #17: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Users\5JgHKoaOfdp\Videos\*.*" /e /d everyone |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:01:49, Reason: Self Terminated |
| Monitor Duration | 00:01:13 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb90 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B94
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000480000 | 0x00480000 | 0x0049ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x0048ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x00493fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004a3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x004befff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x00543fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x00550fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x00561fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00570000 | 0x005edfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x005f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00600fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0061ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cacls.exe.mui | 0x00620000 | 0x00621fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x007affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x0092ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cacls.exe | 0x00b30000 | 0x00b39fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sortdefault.nls | 0x00b40000 | 0x00e14fff | Memory Mapped File | Readable |
|
|
|
- |
| ntmarta.dll | 0x747f0000 | 0x74814fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ed90000 | 0x7ed90000 | 0x7ee8ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ee90000 | 0x7ee90000 | 0x7eeb2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eebb000 | 0x7eebb000 | 0x7eebbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eebc000 | 0x7eebc000 | 0x7eebefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eebf000 | 0x7eebf000 | 0x7eebffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #18: cmd.exe
46
0
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /S /D /c" echo y" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:01:50, Reason: Self Terminated |
| Monitor Duration | 00:01:14 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb98 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B9C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000070000 | 0x00070000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x0007ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00083fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00091fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000aefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x001effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00200fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00211fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00220000 | 0x0029dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0032ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0052ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0069ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e490000 | 0x7e490000 | 0x7e58ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e590000 | 0x7e590000 | 0x7e5b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e5b6000 | 0x7e5b6000 | 0x7e5b6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e5bc000 | 0x7e5bc000 | 0x7e5befff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e5bf000 | 0x7e5bf000 | 0x7e5bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (12)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
6 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 |
Process #19: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Users\5JgHKoaOfdp\Pictures\*.*" /e /d everyone |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:01:52, Reason: Self Terminated |
| Monitor Duration | 00:01:16 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xba0 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BA4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00b30000 | 0x00b39fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00faffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f90000 | 0x00f90000 | 0x00f9ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fa3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x00fb1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x00fb3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000fc0000 | 0x00fc0000 | 0x00fcefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x0100ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0104ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x01053fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001060000 | 0x01060000 | 0x01060fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001070000 | 0x01070000 | 0x01071fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001080000 | 0x01080000 | 0x01082fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001090000 | 0x01090000 | 0x01090fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| cacls.exe.mui | 0x010a0000 | 0x010a1fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000010c0000 | 0x010c0000 | 0x010cffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x010d0000 | 0x0114dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001250000 | 0x01250000 | 0x0134ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001480000 | 0x01480000 | 0x0148ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x01490000 | 0x01764fff | Memory Mapped File | Readable |
|
|
|
- |
| ntmarta.dll | 0x747f0000 | 0x74814fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e6b0000 | 0x7e6b0000 | 0x7e7affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e7b0000 | 0x7e7b0000 | 0x7e7d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e7db000 | 0x7e7db000 | 0x7e7ddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e7de000 | 0x7e7de000 | 0x7e7defff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e7df000 | 0x7e7df000 | 0x7e7dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #20: cmd.exe
46
0
| Information | Value |
|---|---|
| ID | #20 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /S /D /c" echo y" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:01:53, Reason: Self Terminated |
| Monitor Duration | 00:01:17 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbc4 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BC8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00deffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000dd0000 | 0x00dd0000 | 0x00ddffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00de3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00df1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e00000 | 0x00e00000 | 0x00e0efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00e4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00f4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f50000 | 0x00f50000 | 0x00f53fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000f60000 | 0x00f60000 | 0x00f60fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00f71fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00f80000 | 0x00ffdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001080000 | 0x01080000 | 0x0108ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0120ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000013f0000 | 0x013f0000 | 0x014effff | Private Memory | Readable, Writable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e200000 | 0x7e200000 | 0x7e2fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e300000 | 0x7e300000 | 0x7e322fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e323000 | 0x7e323000 | 0x7e323fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e329000 | 0x7e329000 | 0x7e329fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e32d000 | 0x7e32d000 | 0x7e32ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (12)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
6 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 236, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 |
Process #21: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #21 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Users\Public\*.*" /e /d everyone |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:01:53, Reason: Self Terminated |
| Monitor Duration | 00:01:17 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbd0 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000150000 | 0x00150000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x0015ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00163fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00171fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00173fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x0018efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00213fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00220fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00231fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00240000 | 0x002bdfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| cacls.exe.mui | 0x002e0000 | 0x002e1fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x005bffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x005c0000 | 0x00894fff | Memory Mapped File | Readable |
|
|
|
- |
| cacls.exe | 0x00b30000 | 0x00b39fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x747f0000 | 0x74814fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e9f0000 | 0x7e9f0000 | 0x7eaeffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007eaf0000 | 0x7eaf0000 | 0x7eb12fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eb1b000 | 0x7eb1b000 | 0x7eb1bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb1c000 | 0x7eb1c000 | 0x7eb1efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb1f000 | 0x7eb1f000 | 0x7eb1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #22: cmd.exe
46
0
| Information | Value |
|---|---|
| ID | #22 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /S /D /c" echo y" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:01:55, Reason: Self Terminated |
| Monitor Duration | 00:01:19 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbd8 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BDC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000b0000 | 0x000b0000 | 0x000cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000bffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000eefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x0012ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0022ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00233fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00240fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00251fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00260000 | 0x002ddfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0045ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x006fffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e6d0000 | 0x7e6d0000 | 0x7e7cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e7d0000 | 0x7e7d0000 | 0x7e7f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e7f4000 | 0x7e7f4000 | 0x7e7f4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e7fc000 | 0x7e7fc000 | 0x7e7fefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e7ff000 | 0x7e7ff000 | 0x7e7fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (12)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
6 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 236, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 |
Process #23: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #23 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\*.*" /e /d everyone |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:01:55, Reason: Self Terminated |
| Monitor Duration | 00:01:19 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbe0 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000390000 | 0x00390000 | 0x003affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003cefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x0040ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0044ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00453fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00460fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x00471fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004fffff | Private Memory | Readable, Writable |
|
|
|
- |
| cacls.exe | 0x00b30000 | 0x00b39fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f470000 | 0x7f470000 | 0x7f492fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f49a000 | 0x7f49a000 | 0x7f49cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f49d000 | 0x7f49d000 | 0x7f49dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f49f000 | 0x7f49f000 | 0x7f49ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #24: cmd.exe
46
0
| Information | Value |
|---|---|
| ID | #24 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /S /D /c" echo y" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:01:54, Reason: Self Terminated |
| Monitor Duration | 00:01:18 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x974 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8DC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000160000 | 0x00160000 | 0x0017ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x0016ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00173fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00181fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x0019efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x002dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x002f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00301fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00310000 | 0x0038dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0052ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f210000 | 0x7f210000 | 0x7f30ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f310000 | 0x7f310000 | 0x7f332fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f33a000 | 0x7f33a000 | 0x7f33afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f33b000 | 0x7f33b000 | 0x7f33bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f33d000 | 0x7f33d000 | 0x7f33ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (12)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
6 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 178, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 |
Process #25: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #25 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\*.*" /e /d everyone |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:01:55, Reason: Self Terminated |
| Monitor Duration | 00:01:19 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8d8 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
820
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000220000 | 0x00220000 | 0x0023ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x0022ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00233fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00241fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x00243fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x0025efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x002f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00301fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00322fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x00330fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| cacls.exe.mui | 0x00340000 | 0x00341fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0045ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00460000 | 0x004ddfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0052ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00530000 | 0x00804fff | Memory Mapped File | Readable |
|
|
|
- |
| cacls.exe | 0x00b30000 | 0x00b39fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x747f0000 | 0x74814fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6a0000 | 0x7f6a0000 | 0x7f79ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f7a0000 | 0x7f7a0000 | 0x7f7c2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f7c8000 | 0x7f7c8000 | 0x7f7c8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f7cc000 | 0x7f7cc000 | 0x7f7cefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f7cf000 | 0x7f7cf000 | 0x7f7cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #26: cmd.exe
46
0
| Information | Value |
|---|---|
| ID | #26 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /S /D /c" echo y" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:01:58, Reason: Self Terminated |
| Monitor Duration | 00:01:22 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb40 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BE8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007d0000 | 0x007d0000 | 0x007effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007f1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007f3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x0080efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0084ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0094ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x00953fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x00960fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x00971fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00980000 | 0x009fdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00c8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f350000 | 0x7f350000 | 0x7f44ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f450000 | 0x7f450000 | 0x7f472fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f476000 | 0x7f476000 | 0x7f476fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f47a000 | 0x7f47a000 | 0x7f47cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f47d000 | 0x7f47d000 | 0x7f47dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (12)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
6 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 |
Process #27: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #27 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "D:\*.*" /e /d everyone |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:01:58, Reason: Self Terminated |
| Monitor Duration | 00:01:22 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb44 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B3C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000004d0000 | 0x004d0000 | 0x004effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x004dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004e3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004f1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004f3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x0050efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0054ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0058ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00593fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x005a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0063ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0074ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00750000 | 0x007cdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x0096ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cacls.exe | 0x00b30000 | 0x00b39fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sortdefault.nls | 0x00b40000 | 0x00e14fff | Memory Mapped File | Readable |
|
|
|
- |
| ntmarta.dll | 0x747f0000 | 0x74814fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e700000 | 0x7e700000 | 0x7e7fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e800000 | 0x7e800000 | 0x7e822fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e828000 | 0x7e828000 | 0x7e828fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e82a000 | 0x7e82a000 | 0x7e82afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e82d000 | 0x7e82d000 | 0x7e82ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #28: cmd.exe
46
0
| Information | Value |
|---|---|
| ID | #28 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /S /D /c" echo y" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:01:57, Reason: Self Terminated |
| Monitor Duration | 00:01:21 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6b8 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6A8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000320000 | 0x00320000 | 0x0033ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x0032ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00333fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00341fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x0035efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x0049ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x004a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x004b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0051ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00520000 | 0x0059dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0074ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0084ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eee0000 | 0x7eee0000 | 0x7efdffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f002fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f003000 | 0x7f003000 | 0x7f003fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f00b000 | 0x7f00b000 | 0x7f00bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f00d000 | 0x7f00d000 | 0x7f00ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (12)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
6 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 |
Process #29: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #29 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "E:\*.*" /e /d everyone |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:01:58, Reason: Self Terminated |
| Monitor Duration | 00:01:22 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x770 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000770000 | 0x00770000 | 0x0078ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x00791fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x007aefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x0082ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x00833fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x00840fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x00851fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x0099ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cacls.exe | 0x00b30000 | 0x00b39fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f080000 | 0x7f080000 | 0x7f0a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0aa000 | 0x7f0aa000 | 0x7f0aafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0ab000 | 0x7f0ab000 | 0x7f0abfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0ad000 | 0x7f0ad000 | 0x7f0affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #30: cmd.exe
46
0
| Information | Value |
|---|---|
| ID | #30 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /S /D /c" echo y" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:00, Reason: Self Terminated |
| Monitor Duration | 00:01:24 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9a4 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5E4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000b0000 | 0x000b0000 | 0x000cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000bffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000eefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x0012ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0022ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00233fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00240fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00251fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00260000 | 0x002ddfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0052ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x006affff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f060000 | 0x7f060000 | 0x7f15ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f160000 | 0x7f160000 | 0x7f182fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f18b000 | 0x7f18b000 | 0x7f18dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f18e000 | 0x7f18e000 | 0x7f18efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f18f000 | 0x7f18f000 | 0x7f18ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (12)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
6 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 178, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 |
Process #31: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #31 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "F:\*.*" /e /d everyone |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:52 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6b0 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
72C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000110000 | 0x00110000 | 0x0012ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x00131fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x0014efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0021ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cacls.exe | 0x00b30000 | 0x00b39fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f670000 | 0x7f670000 | 0x7f692fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f696000 | 0x7f696000 | 0x7f696fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f69c000 | 0x7f69c000 | 0x7f69efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f69f000 | 0x7f69f000 | 0x7f69ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #32: attrib.exe
0
0
| Information | Value |
|---|---|
| ID | #32 |
| File Name | c:\windows\syswow64\attrib.exe |
| Command Line | attrib +s +a +h +r C:\FRSRAMSOMWARE |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:01, Reason: Self Terminated |
| Monitor Duration | 00:01:25 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x810 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5F8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00ceffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d01fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d10000 | 0x00d10000 | 0x00d1efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00d9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000da0000 | 0x00da0000 | 0x00da3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000db0000 | 0x00db0000 | 0x00db0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dc1fff | Private Memory | Readable, Writable |
|
|
|
- |
| attrib.exe | 0x00e40000 | 0x00e47fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| locale.nls | 0x00e50000 | 0x00ecdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x010cffff | Private Memory | Readable, Writable |
|
|
|
- |
| ulib.dll | 0x747f0000 | 0x74810fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f570000 | 0x7f570000 | 0x7f66ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f670000 | 0x7f670000 | 0x7f692fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f69b000 | 0x7f69b000 | 0x7f69bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f69c000 | 0x7f69c000 | 0x7f69efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f69f000 | 0x7f69f000 | 0x7f69ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #33: attrib.exe
0
0
| Information | Value |
|---|---|
| ID | #33 |
| File Name | c:\windows\syswow64\attrib.exe |
| Command Line | attrib +s +a +h +r C:\FRS_TEMP |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:37, Reason: Child Process |
| Unmonitor | End Time: 00:02:01, Reason: Self Terminated |
| Monitor Duration | 00:01:24 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x728 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BF4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| attrib.exe | 0x00e40000 | 0x00e47fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x0100ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x01011fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001020000 | 0x01020000 | 0x0102efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001030000 | 0x01030000 | 0x0106ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001070000 | 0x01070000 | 0x010affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000010b0000 | 0x010b0000 | 0x010b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000010c0000 | 0x010c0000 | 0x010c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000010d0000 | 0x010d0000 | 0x010d1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001230000 | 0x01230000 | 0x0123ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eb40000 | 0x7eb40000 | 0x7eb62fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eb64000 | 0x7eb64000 | 0x7eb64fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb6c000 | 0x7eb6c000 | 0x7eb6cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb6d000 | 0x7eb6d000 | 0x7eb6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #35: ping.exe
191
13
| Information | Value |
|---|---|
| ID | #35 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 10 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:38, Reason: Child Process |
| Unmonitor | End Time: 00:02:02, Reason: Self Terminated |
| Monitor Duration | 00:01:24 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x93c |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
934
0x
938
0x
928
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c00000 | 0x00c00000 | 0x00c0ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c13fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c21fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c20000 | 0x00c20000 | 0x00c22fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000c30000 | 0x00c30000 | 0x00c3efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c80000 | 0x00c80000 | 0x00cbffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000cc0000 | 0x00cc0000 | 0x00cc3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x00cd0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00ce1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00cf0000 | 0x00d6dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00d7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00dbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dfffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e00000 | 0x00e00000 | 0x00e00fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x00e10000 | 0x00e12fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00f1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x00f5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x00feffff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73da0000 | 0x73de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73df0000 | 0x73df7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73e00000 | 0x73e1dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007f87d000 | 0x7f87d000 | 0x7f87ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007f880000 | 0x7f880000 | 0x7f97ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f980000 | 0x7f980000 | 0x7f9a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f9a4000 | 0x7f9a4000 | 0x7f9a6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f9a7000 | 0x7f9a7000 | 0x7f9a7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f9aa000 | 0x7f9aa000 | 0x7f9acfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f9ad000 | 0x7f9ad000 | 0x7f9adfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (134)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
45 | |
| Open | STD_OUTPUT_HANDLE | - |
|
45 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
10 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
30 | |
| Write | STD_OUTPUT_HANDLE | size = 94 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
9 |
Environment (45)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
45 |
Network Behavior
ICMP (10)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
10 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #36: notepad.exe
0
0
| Information | Value |
|---|---|
| ID | #36 |
| File Name | c:\windows\syswow64\notepad.exe |
| Command Line | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\READ_ME_HELP_ME.txt |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:48, Reason: Child Process |
| Unmonitor | End Time: 00:02:03, Reason: Self Terminated |
| Monitor Duration | 00:01:15 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x950 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
964
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| notepad.exe | 0x00890000 | 0x008c7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b20000 | 0x00b20000 | 0x00b2ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b33fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b41fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b40000 | 0x00b40000 | 0x00b42fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000b50000 | 0x00b50000 | 0x00b5efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00bdffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000be0000 | 0x00be0000 | 0x00be3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000bf0000 | 0x00bf0000 | 0x00bf2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c01fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00c10000 | 0x00c8dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000c90000 | 0x00c90000 | 0x00c90fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| notepad.exe.mui | 0x00ca0000 | 0x00ca2fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00cbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00cc0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00cd0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00ce3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000cf0000 | 0x00cf0000 | 0x00cf1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d03fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00e0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00efffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f00000 | 0x00f00000 | 0x01087fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001090000 | 0x01090000 | 0x01210fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001220000 | 0x01220000 | 0x0261ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002620000 | 0x02620000 | 0x02710fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002770000 | 0x02770000 | 0x0277ffff | Private Memory | Readable, Writable |
|
|
|
- |
| winspool.drv | 0x736e0000 | 0x7373dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x74600000 | 0x747e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shcore.dll | 0x74830000 | 0x748a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x748c0000 | 0x748d7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x748e0000 | 0x749bafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comdlg32.dll | 0x75110000 | 0x75195fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x75a50000 | 0x76bfcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6c0000 | 0x7f6c0000 | 0x7f7bffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f7c0000 | 0x7f7c0000 | 0x7f7e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f7e8000 | 0x7f7e8000 | 0x7f7e8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f7ec000 | 0x7f7ec000 | 0x7f7ecfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f7ed000 | 0x7f7ed000 | 0x7f7effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #37: ping.exe
191
13
| Information | Value |
|---|---|
| ID | #37 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 10 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:48, Reason: Child Process |
| Unmonitor | End Time: 00:02:03, Reason: Self Terminated |
| Monitor Duration | 00:01:15 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x408 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4C8
0x
4D8
0x
9DC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00e9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e80000 | 0x00e80000 | 0x00e8ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00e93fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00ea1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x00ea2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000eb0000 | 0x00eb0000 | 0x00ebefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00efffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f40000 | 0x00f40000 | 0x00f43fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000f50000 | 0x00f50000 | 0x00f50fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f61fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00faffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x010affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000010b0000 | 0x010b0000 | 0x010effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000010f0000 | 0x010f0000 | 0x010f0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x01100000 | 0x01102fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001110000 | 0x01110000 | 0x0111ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001120000 | 0x01120000 | 0x0112ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x01130000 | 0x011adfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000011b0000 | 0x011b0000 | 0x011effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000011f0000 | 0x011f0000 | 0x0122ffff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f3f0000 | 0x7f3f0000 | 0x7f4effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f4f0000 | 0x7f4f0000 | 0x7f512fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f515000 | 0x7f515000 | 0x7f517fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f518000 | 0x7f518000 | 0x7f518fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f519000 | 0x7f519000 | 0x7f519fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f51a000 | 0x7f51a000 | 0x7f51cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f51d000 | 0x7f51d000 | 0x7f51ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (134)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
45 | |
| Open | STD_OUTPUT_HANDLE | - |
|
45 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
10 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
30 | |
| Write | STD_OUTPUT_HANDLE | size = 94 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
9 |
Environment (45)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
45 |
Network Behavior
ICMP (10)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
10 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #38: taskkill.exe
0
0
| Information | Value |
|---|---|
| ID | #38 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | taskkill notepad.exe |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:57, Reason: Child Process |
| Unmonitor | End Time: 00:02:06, Reason: Self Terminated |
| Monitor Duration | 00:01:09 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa88 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A98
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000490000 | 0x00490000 | 0x004affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x0049ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004a3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x004b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004cefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x0050ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0054ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x00553fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x00560fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x00571fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00580fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| taskkill.exe.mui | 0x00590000 | 0x00593fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x006affff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x006b0000 | 0x0072dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x00730fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0074ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x00753fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x00760fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00770fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0080ffff | Private Memory | Readable, Writable |
|
|
|
- |
| taskkill.exe | 0x00930000 | 0x00945fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x00ad7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00c60fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000c70000 | 0x00c70000 | 0x0206ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02070000 | 0x02344fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002350000 | 0x02350000 | 0x0274bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| winsta.dll | 0x73460000 | 0x734a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x734b0000 | 0x73510fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x73520000 | 0x7352bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f4b0000 | 0x7f4b0000 | 0x7f5affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f5b0000 | 0x7f5b0000 | 0x7f5d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f5d4000 | 0x7f5d4000 | 0x7f5d4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f5dc000 | 0x7f5dc000 | 0x7f5defff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f5df000 | 0x7f5df000 | 0x7f5dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #39: ping.exe
191
13
| Information | Value |
|---|---|
| ID | #39 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 10 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:00:58, Reason: Child Process |
| Unmonitor | End Time: 00:02:05, Reason: Self Terminated |
| Monitor Duration | 00:01:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xaf8 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B08
0x
B34
0x
96C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00d5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d40000 | 0x00d40000 | 0x00d4ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d53fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00d61fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d60000 | 0x00d60000 | 0x00d62fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000d70000 | 0x00d70000 | 0x00d7efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00dbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dfffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e00000 | 0x00e00000 | 0x00e03fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000e10000 | 0x00e10000 | 0x00e10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e21fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00e30000 | 0x00eadfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000eb0000 | 0x00eb0000 | 0x00eb0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x00ec0000 | 0x00ec2fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00eeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00f2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x0102ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001030000 | 0x01030000 | 0x0106ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001070000 | 0x01070000 | 0x010affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000010b0000 | 0x010b0000 | 0x010effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000011a0000 | 0x011a0000 | 0x011affff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f7f0000 | 0x7f7f0000 | 0x7f8effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f8f0000 | 0x7f8f0000 | 0x7f912fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f913000 | 0x7f913000 | 0x7f913fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f916000 | 0x7f916000 | 0x7f918fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f919000 | 0x7f919000 | 0x7f91bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f91c000 | 0x7f91c000 | 0x7f91efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f91f000 | 0x7f91f000 | 0x7f91ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (134)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
45 | |
| Open | STD_OUTPUT_HANDLE | - |
|
45 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
10 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
30 | |
| Write | STD_OUTPUT_HANDLE | size = 94 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
9 |
Environment (45)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
45 |
Network Behavior
ICMP (10)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
10 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #40: frs_decryptor.exe
10
0
| Information | Value |
|---|---|
| ID | #40 |
| File Name | c:\users\5jghkoaofdp\appdata\local\qb1143663.0f\frs_decryptor.exe |
| Command Line | C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\FRS_Decryptor.exe |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:06, Reason: Self Terminated |
| Monitor Duration | 00:00:59 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x94c |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
510
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x0004efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x001b0000 | 0x0022dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00230fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0028ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002effff | Private Memory | Readable, Writable |
|
|
|
- |
| frs_decryptor.exe | 0x00400000 | 0x00452fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x007c7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x00950fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x01d5ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001d60000 | 0x01d60000 | 0x01e9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| apphelp.dll | 0x749c0000 | 0x74a58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\5jghko~1\appdata\local\temp\cbug7mrd.bat | 7.49 KB |
MD5:
9c104232adc53feb6096bba0c524563e
SHA1: 3513a7eb0b67b708049e6577a6c1bc21ecc77394 SHA256: 6e87c124ab3810cbc17a92e0edfab4231d0716e356733c5fd50af43c373b7e88 |
|
|
Host Behavior
File (4)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\AppData\Local\Temp\CBUG7MRD.bat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | C:\Users\5JGHKO~1\AppData\Local\Temp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\5JGHKO~1\AppData\Local\Temp\CBUG7MRD.bat | type = file_attributes |
|
1 | |
| Write | C:\Users\5JGHKO~1\AppData\Local\Temp\CBUG7MRD.bat | size = 7669 |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | cmd.exe /c ""C:\Users\5JGHKO~1\AppData\Local\Temp\CBUG7MRD.bat" C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\FRS_Decryptor.exe " | os_pid = 0x958, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\users\5jghkoaofdp\appdata\local\qb1143663.0f\frs_decryptor.exe | base_address = 0x400000 |
|
1 |
Keyboard (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = 0, result_out = 4 |
|
1 |
Environment (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = TMP, result_out = C:\Users\5JGHKO~1\AppData\Local\Temp |
|
1 | |
| Set Environment String | name = cmdln |
|
1 |
Process #42: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #42 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:09, Reason: Self Terminated |
| Monitor Duration | 00:01:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x968 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
12C
0x
168
0x
8B4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x00a8ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a93fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00aa1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x00aa2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x00abefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00afffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b40000 | 0x00b40000 | 0x00b43fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000b50000 | 0x00b50000 | 0x00b50fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b61fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00b70000 | 0x00bedfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000bf0000 | 0x00bf0000 | 0x00bf0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x00c90000 | 0x00c92fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00cdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00d1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00faffff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e760000 | 0x7e760000 | 0x7e85ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e860000 | 0x7e860000 | 0x7e882fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e883000 | 0x7e883000 | 0x7e885fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e886000 | 0x7e886000 | 0x7e886fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e889000 | 0x7e889000 | 0x7e88bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e88c000 | 0x7e88c000 | 0x7e88efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e88f000 | 0x7e88f000 | 0x7e88ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #43: cmd.exe
426
0
| Information | Value |
|---|---|
| ID | #43 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd.exe /c ""C:\Users\5JGHKO~1\AppData\Local\Temp\CBUG7MRD.bat" C:\Users\5JgHKoaOfdp\AppData\Local\qb1143663.0F\FRS_Decryptor.exe " |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:09, Reason: Self Terminated |
| Monitor Duration | 00:01:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x958 |
| Parent PID | 0x94c (c:\users\5jghkoaofdp\appdata\local\qb1143663.0f\frs_decryptor.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
984
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000f70000 | 0x00f70000 | 0x00f8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f70000 | 0x00f70000 | 0x00f7ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00f83fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00f91fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00f93fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000fa0000 | 0x00fa0000 | 0x00faefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x00feffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x010effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000010f0000 | 0x010f0000 | 0x010f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001100000 | 0x01100000 | 0x01100fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001110000 | 0x01110000 | 0x01111fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x01120000 | 0x0119dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000011a0000 | 0x011a0000 | 0x011affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000011b0000 | 0x011b0000 | 0x011b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000011c0000 | 0x011c0000 | 0x011c0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001240000 | 0x01240000 | 0x0124ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001270000 | 0x01270000 | 0x0127ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001420000 | 0x01420000 | 0x0151ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001520000 | 0x01520000 | 0x0191bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01920000 | 0x01bf4fff | Memory Mapped File | Readable |
|
|
|
- |
| cmdext.dll | 0x74820000 | 0x74826fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e1f0000 | 0x7e1f0000 | 0x7e2effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e2f0000 | 0x7e2f0000 | 0x7e312fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e315000 | 0x7e315000 | 0x7e315fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e317000 | 0x7e317000 | 0x7e317fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e31d000 | 0x7e31d000 | 0x7e31ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (338)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\5JGHKO~1\AppData\Local\Temp\CBUG7MRD.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
4 | |
| Create | C:\Users\5JGHKO~1\AppData\Local\Temp\CBUG7MRD.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
5 | |
| Create | C:\Users\5JGHKO~1\AppData\Local\Temp\CBUG7MRD.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\5JGHKO~1\AppData\Local\Temp\CBUG7MRD.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
20 | |
| Create Directory | C:\FRSDecryptor | - |
|
1 | |
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\5JGHKO~1\AppData\Local\Temp\CBUG7MRD.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
4 | |
| Get Info | - | type = file_type |
|
5 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
21 | |
| Get Info | - | type = size |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
15 | |
| Get Info | echo. | type = file_attributes |
|
13 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
87 | |
| Open | STD_INPUT_HANDLE | - |
|
30 | |
| Open | - | - |
|
13 | |
| Open | - | - |
|
15 | |
| Open | - | - |
|
3 | |
| Open | - | - |
|
49 | |
| Read | - | size = 8191, size_out = 7669 |
|
1 | |
| Read | - | size = 8191, size_out = 7661 |
|
1 | |
| Read | - | size = 8191, size_out = 7650 |
|
1 | |
| Read | - | size = 8191, size_out = 7629 |
|
1 | |
| Read | - | size = 8191, size_out = 7601 |
|
1 | |
| Read | - | size = 8191, size_out = 7591 |
|
1 | |
| Read | - | size = 8191, size_out = 7589 |
|
1 | |
| Read | - | size = 8191, size_out = 7587 |
|
1 | |
| Read | - | size = 8191, size_out = 7567 |
|
1 | |
| Read | - | size = 8191, size_out = 7531 |
|
1 | |
| Read | - | size = 8191, size_out = 7457 |
|
1 | |
| Read | - | size = 8191, size_out = 7429 |
|
1 | |
| Read | - | size = 8191, size_out = 7401 |
|
1 | |
| Read | - | size = 512, size_out = 512 |
|
2 | |
| Read | - | size = 8191, size_out = 7373 |
|
1 | |
| Read | - | size = 8191, size_out = 7368 |
|
1 | |
| Read | - | size = 8191, size_out = 7361 |
|
1 | |
| Read | - | size = 8191, size_out = 7260 |
|
1 | |
| Read | - | size = 8191, size_out = 7253 |
|
1 | |
| Read | - | size = 8191, size_out = 7150 |
|
1 | |
| Read | - | size = 8191, size_out = 7143 |
|
1 | |
| Read | - | size = 8191, size_out = 7136 |
|
1 | |
| Read | - | size = 8191, size_out = 7087 |
|
1 | |
| Read | - | size = 8191, size_out = 7080 |
|
1 | |
| Read | - | size = 8191, size_out = 7060 |
|
1 | |
| Read | - | size = 8191, size_out = 7053 |
|
1 | |
| Read | - | size = 8191, size_out = 7030 |
|
1 | |
| Read | - | size = 8191, size_out = 7023 |
|
1 | |
| Read | - | size = 8191, size_out = 7016 |
|
1 | |
| Read | - | size = 8191, size_out = 7005 |
|
1 | |
| Read | STD_INPUT_HANDLE | size = 1023 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
8 | |
| Write | STD_OUTPUT_HANDLE | size = 96 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 15 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 18 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 49 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\mode.com | os_pid = 0x53c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\attrib.exe | os_pid = 0x6c8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (60)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
10 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
18 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
19 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = n |
|
2 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = lan, value = 2 |
|
1 |
Process #44: mode.com
0
0
| Information | Value |
|---|---|
| ID | #44 |
| File Name | c:\windows\syswow64\mode.com |
| Command Line | mode con cols=100 lines=30 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:09, Reason: Self Terminated |
| Monitor Duration | 00:01:01 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x53c |
| Parent PID | 0x958 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
750
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| mode.com | 0x00b90000 | 0x00b99fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00feffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x00fdffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x00fe3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x00ff1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x00ff3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001000000 | 0x01000000 | 0x0100efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0104ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001050000 | 0x01050000 | 0x0108ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001090000 | 0x01090000 | 0x01093fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000010a0000 | 0x010a0000 | 0x010a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000010b0000 | 0x010b0000 | 0x010b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000010c0000 | 0x010c0000 | 0x010cffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x010d0000 | 0x0114dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001150000 | 0x01150000 | 0x01150fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x01160fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000011c0000 | 0x011c0000 | 0x012bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000012c0000 | 0x012c0000 | 0x01447fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000014b0000 | 0x014b0000 | 0x014bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000014c0000 | 0x014c0000 | 0x01640fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001650000 | 0x01650000 | 0x02a4ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| fsutilext.dll | 0x73650000 | 0x7365efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ulib.dll | 0x73660000 | 0x73680fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ureg.dll | 0x73da0000 | 0x73da9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f8b0000 | 0x7f8b0000 | 0x7f9affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f9b0000 | 0x7f9b0000 | 0x7f9d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f9d5000 | 0x7f9d5000 | 0x7f9d5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f9dc000 | 0x7f9dc000 | 0x7f9defff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f9df000 | 0x7f9df000 | 0x7f9dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #45: attrib.exe
0
0
| Information | Value |
|---|---|
| ID | #45 |
| File Name | c:\windows\syswow64\attrib.exe |
| Command Line | attrib +s +a +h +r C:\FRSDecryptor |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:10, Reason: Self Terminated |
| Monitor Duration | 00:01:02 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6c8 |
| Parent PID | 0x958 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A1C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000970000 | 0x00970000 | 0x0098ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000970000 | 0x00970000 | 0x0097ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x00983fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x00991fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x00993fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x009aefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x00a2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a30000 | 0x00a30000 | 0x00a33fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x00a40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a51fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00a60000 | 0x00addfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00d4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| attrib.exe | 0x00e40000 | 0x00e47fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x0108ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ulib.dll | 0x73660000 | 0x73680fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fsutilext.dll | 0x73da0000 | 0x73daefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f0f0000 | 0x7f0f0000 | 0x7f1effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f1f0000 | 0x7f1f0000 | 0x7f212fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f21a000 | 0x7f21a000 | 0x7f21afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f21c000 | 0x7f21c000 | 0x7f21efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f21f000 | 0x7f21f000 | 0x7f21ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #46: cmd.exe
51
0
| Information | Value |
|---|---|
| ID | #46 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c find "n" "C:\FRSDecryptor\1.txt" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:11, Reason: Self Terminated |
| Monitor Duration | 00:01:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x780 |
| Parent PID | 0x958 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
610
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00acffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x00abffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00ac3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00ad1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00aeefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00b2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00c2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c30000 | 0x00c30000 | 0x00c33fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000c40000 | 0x00c40000 | 0x00c40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c51fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00ca0000 | 0x00d1dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00e1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00e60000 | 0x01134fff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ed70000 | 0x7ed70000 | 0x7ee6ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ee70000 | 0x7ee70000 | 0x7ee92fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ee95000 | 0x7ee95000 | 0x7ee95fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee9a000 | 0x7ee9a000 | 0x7ee9afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee9d000 | 0x7ee9d000 | 0x7ee9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\find.exe | os_pid = 0x8f4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #47: find.exe
0
0
| Information | Value |
|---|---|
| ID | #47 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find "n" "C:\FRSDecryptor\1.txt" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:11, Reason: Self Terminated |
| Monitor Duration | 00:01:03 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8f4 |
| Parent PID | 0x780 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2F8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00eeffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ed0000 | 0x00ed0000 | 0x00edffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00ee3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00ef1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00ef3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f00000 | 0x00f00000 | 0x00f0efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00f8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f90000 | 0x00f90000 | 0x00f93fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000fa0000 | 0x00fa0000 | 0x00fa0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x00fb1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000fc0000 | 0x00fc0000 | 0x00fc2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x00fd0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ulib.dll.mui | 0x00fe0000 | 0x01022fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001030000 | 0x01030000 | 0x0112ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001130000 | 0x01130000 | 0x0113ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x01140000 | 0x011bdfff | Memory Mapped File | Readable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001310000 | 0x01310000 | 0x0131ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ulib.dll | 0x73660000 | 0x73680fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fsutilext.dll | 0x73da0000 | 0x73daefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ecf0000 | 0x7ecf0000 | 0x7edeffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007edf0000 | 0x7edf0000 | 0x7ee12fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ee1b000 | 0x7ee1b000 | 0x7ee1bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee1c000 | 0x7ee1c000 | 0x7ee1cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee1d000 | 0x7ee1d000 | 0x7ee1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #48: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #48 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:11, Reason: Self Terminated |
| Monitor Duration | 00:01:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x95c |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8A4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000004c0000 | 0x004c0000 | 0x004dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004cffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x004d3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004e1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004e3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x004fefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x00643fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x00650fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x00661fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00670000 | 0x006edfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x0077ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0080ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x009bffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x009c0000 | 0x00c94fff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ea80000 | 0x7ea80000 | 0x7eb7ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007eb80000 | 0x7eb80000 | 0x7eba2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ebab000 | 0x7ebab000 | 0x7ebadfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ebae000 | 0x7ebae000 | 0x7ebaefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ebaf000 | 0x7ebaf000 | 0x7ebaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0x8c4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0x5a0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #49: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #49 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:12, Reason: Self Terminated |
| Monitor Duration | 00:01:02 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8c4 |
| Parent PID | 0x95c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
434
0x
4EC
0x
4E4
0x
4E0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0035ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x0034ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00353fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x00361fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00362fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x0037efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00403fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00410fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x00421fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00440000 | 0x004bdfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004c0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x004d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004f3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00500fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00510fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0055ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0059ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x006dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x00867fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x008affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x00a40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a50000 | 0x00a50000 | 0x01e4ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001e50000 | 0x01e50000 | 0x01f91fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01fa0000 | 0x02274fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002280000 | 0x02280000 | 0x0267bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002680000 | 0x02680000 | 0x026bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000026c0000 | 0x026c0000 | 0x026fffff | Private Memory | Readable, Writable |
|
|
|
- |
| wmiutils.dll | 0x73340000 | 0x7335afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x73370000 | 0x7341afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x73420000 | 0x7342ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x73460000 | 0x734a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x734b0000 | 0x73510fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x73520000 | 0x7352bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007ea1d000 | 0x7ea1d000 | 0x7ea1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007ea20000 | 0x7ea20000 | 0x7eb1ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007eb20000 | 0x7eb20000 | 0x7eb42fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eb44000 | 0x7eb44000 | 0x7eb44fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb45000 | 0x7eb45000 | 0x7eb47fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb48000 | 0x7eb48000 | 0x7eb4afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb4b000 | 0x7eb4b000 | 0x7eb4dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb4e000 | 0x7eb4e000 | 0x7eb4efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #50: find.exe
0
0
| Information | Value |
|---|---|
| ID | #50 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:14, Reason: Self Terminated |
| Monitor Duration | 00:01:04 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5a0 |
| Parent PID | 0x95c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4E8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000850000 | 0x00850000 | 0x0086ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x0085ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x00863fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x00871fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x00873fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x0088efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x008cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x0090ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x00913fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00920fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00931fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00940000 | 0x009bdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00acffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fsutilext.dll | 0x73360000 | 0x7336efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ulib.dll | 0x73430000 | 0x73450fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007fad0000 | 0x7fad0000 | 0x7fbcffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007fbd0000 | 0x7fbd0000 | 0x7fbf2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007fbfb000 | 0x7fbfb000 | 0x7fbfdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fbfe000 | 0x7fbfe000 | 0x7fbfefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fbff000 | 0x7fbff000 | 0x7fbfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #53: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #53 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:13, Reason: Child Process |
| Unmonitor | End Time: 00:02:14, Reason: Self Terminated |
| Monitor Duration | 00:01:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7f4 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
71C
0x
7D8
0x
6B4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a1ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a23fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a31fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a30000 | 0x00a30000 | 0x00a32fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x00a4efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00acffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x00ad3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00ae0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00af1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00b00000 | 0x00b7dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x00b80fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00b9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00bdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00c1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00d1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x00d20000 | 0x00d22fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00daffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00e9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e740000 | 0x7e740000 | 0x7e83ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e840000 | 0x7e840000 | 0x7e862fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e865000 | 0x7e865000 | 0x7e867fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e868000 | 0x7e868000 | 0x7e86afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e86b000 | 0x7e86b000 | 0x7e86bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e86c000 | 0x7e86c000 | 0x7e86efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e86f000 | 0x7e86f000 | 0x7e86ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #54: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #54 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:15, Reason: Child Process |
| Unmonitor | End Time: 00:02:16, Reason: Self Terminated |
| Monitor Duration | 00:01:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xaec |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ADC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000380000 | 0x00380000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x0038ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00393fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003befff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x004fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00503fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00510fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x00521fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00530000 | 0x005adfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0061ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0072ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x0098ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00990000 | 0x00c64fff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f300000 | 0x7f300000 | 0x7f3fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f400000 | 0x7f400000 | 0x7f422fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f423000 | 0x7f423000 | 0x7f423fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f424000 | 0x7f424000 | 0x7f424fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f42d000 | 0x7f42d000 | 0x7f42ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0xacc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0xafc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #55: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #55 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:15, Reason: Child Process |
| Unmonitor | End Time: 00:02:16, Reason: Self Terminated |
| Monitor Duration | 00:01:01 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xacc |
| Parent PID | 0xaec (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ABC
0x
B24
0x
B0C
0x
B4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f60000 | 0x00f60000 | 0x00f6ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00f73fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00f81fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f80000 | 0x00f80000 | 0x00f82fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000f90000 | 0x00f90000 | 0x00f9efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x0101ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001020000 | 0x01020000 | 0x01023fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001030000 | 0x01030000 | 0x01030fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x01041fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x01050000 | 0x010cdfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000010d0000 | 0x010d0000 | 0x010d0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000010e0000 | 0x010e0000 | 0x010e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000010f0000 | 0x010f0000 | 0x010f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001100000 | 0x01100000 | 0x01103fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001110000 | 0x01110000 | 0x01110fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001120000 | 0x01120000 | 0x01120fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001130000 | 0x01130000 | 0x0113ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001140000 | 0x01140000 | 0x0117ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001180000 | 0x01180000 | 0x011bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000011c0000 | 0x011c0000 | 0x011fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001230000 | 0x01230000 | 0x0123ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001240000 | 0x01240000 | 0x0127ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001280000 | 0x01280000 | 0x012bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000012d0000 | 0x012d0000 | 0x013cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000013d0000 | 0x013d0000 | 0x01557fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001560000 | 0x01560000 | 0x016e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000016f0000 | 0x016f0000 | 0x02aeffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002af0000 | 0x02af0000 | 0x02c31fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02c40000 | 0x02f14fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002f20000 | 0x02f20000 | 0x0331bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000003320000 | 0x03320000 | 0x0335ffff | Private Memory | Readable, Writable |
|
|
|
- |
| fastprox.dll | 0x73360000 | 0x7340afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x73420000 | 0x7342ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x73430000 | 0x73471fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x73480000 | 0x734e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x734f0000 | 0x734fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007ed5a000 | 0x7ed5a000 | 0x7ed5cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed5d000 | 0x7ed5d000 | 0x7ed5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007ed60000 | 0x7ed60000 | 0x7ee5ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ee60000 | 0x7ee60000 | 0x7ee82fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ee84000 | 0x7ee84000 | 0x7ee84fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee87000 | 0x7ee87000 | 0x7ee89fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee8a000 | 0x7ee8a000 | 0x7ee8afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee8d000 | 0x7ee8d000 | 0x7ee8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #56: find.exe
0
0
| Information | Value |
|---|---|
| ID | #56 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:15, Reason: Child Process |
| Unmonitor | End Time: 00:02:15, Reason: Self Terminated |
| Monitor Duration | 00:01:00 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xafc |
| Parent PID | 0xaec (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3D4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000650000 | 0x00650000 | 0x0066ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x0065ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x00663fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x00671fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x00673fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x0068efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x006cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x0070ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x00713fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x00720fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x00731fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0074ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00750000 | 0x007cdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0092ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00aeffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fsutilext.dll | 0x73410000 | 0x7341efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ulib.dll | 0x73500000 | 0x73520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f0f0000 | 0x7f0f0000 | 0x7f1effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f1f0000 | 0x7f1f0000 | 0x7f212fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f215000 | 0x7f215000 | 0x7f215fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f219000 | 0x7f219000 | 0x7f219fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f21d000 | 0x7f21d000 | 0x7f21ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #57: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #57 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:15, Reason: Child Process |
| Unmonitor | End Time: 00:02:16, Reason: Self Terminated |
| Monitor Duration | 00:01:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb48 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B54
0x
B50
0x
B5C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00f0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ef0000 | 0x00ef0000 | 0x00efffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f03fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f11fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f10000 | 0x00f10000 | 0x00f12fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000f20000 | 0x00f20000 | 0x00f2efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00faffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x00fb3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000fc0000 | 0x00fc0000 | 0x00fc0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fd1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00fe0000 | 0x0105dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001060000 | 0x01060000 | 0x0109ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000010a0000 | 0x010a0000 | 0x010a0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x010b0000 | 0x010b2fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000010c0000 | 0x010c0000 | 0x010cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000010d0000 | 0x010d0000 | 0x0110ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001110000 | 0x01110000 | 0x0114ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001150000 | 0x01150000 | 0x0118ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001220000 | 0x01220000 | 0x0131ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000014b0000 | 0x014b0000 | 0x014bffff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f380000 | 0x7f380000 | 0x7f47ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f480000 | 0x7f480000 | 0x7f4a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f4a3000 | 0x7f4a3000 | 0x7f4a5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4a6000 | 0x7f4a6000 | 0x7f4a8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4a9000 | 0x7f4a9000 | 0x7f4a9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4aa000 | 0x7f4aa000 | 0x7f4acfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4ad000 | 0x7f4ad000 | 0x7f4adfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #58: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #58 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:17, Reason: Child Process |
| Unmonitor | End Time: 00:02:18, Reason: Self Terminated |
| Monitor Duration | 00:01:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb58 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B64
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000db0000 | 0x00db0000 | 0x00dcffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000db0000 | 0x00db0000 | 0x00dbffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dc3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00dd1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00dd3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000de0000 | 0x00de0000 | 0x00deefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00e2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00f2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f30000 | 0x00f30000 | 0x00f33fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000f40000 | 0x00f40000 | 0x00f40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00f51fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00f60000 | 0x00fddfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000010e0000 | 0x010e0000 | 0x010effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001130000 | 0x01130000 | 0x0113ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001470000 | 0x01470000 | 0x0156ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x01570000 | 0x01844fff | Memory Mapped File | Readable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f690000 | 0x7f690000 | 0x7f78ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f790000 | 0x7f790000 | 0x7f7b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f7b3000 | 0x7f7b3000 | 0x7f7b3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f7ba000 | 0x7f7ba000 | 0x7f7bafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f7bd000 | 0x7f7bd000 | 0x7f7bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 252, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0xb60, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0xb68, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #59: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #59 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:18, Reason: Child Process |
| Unmonitor | End Time: 00:02:19, Reason: Self Terminated |
| Monitor Duration | 00:01:01 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb60 |
| Parent PID | 0xb58 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B6C
0x
B70
0x
B7C
0x
B78
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002effff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002f3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00301fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000300000 | 0x00300000 | 0x00302fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x0031efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0035ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x00403fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00410fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0051ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00520000 | 0x0059dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x005a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0061ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x007a7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x00930fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x01d3ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001d40000 | 0x01d40000 | 0x01e81fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01e90000 | 0x02164fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002170000 | 0x02170000 | 0x0256bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002570000 | 0x02570000 | 0x025affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000025b0000 | 0x025b0000 | 0x025effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000025f0000 | 0x025f0000 | 0x0262ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002630000 | 0x02630000 | 0x0266ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002670000 | 0x02670000 | 0x026affff | Private Memory | Readable, Writable |
|
|
|
- |
| wbemsvc.dll | 0x73410000 | 0x7341ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x73420000 | 0x73461fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x73470000 | 0x734d0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x734e0000 | 0x734ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007ec7d000 | 0x7ec7d000 | 0x7ec7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007ec80000 | 0x7ec80000 | 0x7ed7ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ed80000 | 0x7ed80000 | 0x7eda2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eda5000 | 0x7eda5000 | 0x7eda7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eda8000 | 0x7eda8000 | 0x7eda8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eda9000 | 0x7eda9000 | 0x7edabfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edac000 | 0x7edac000 | 0x7edaefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edaf000 | 0x7edaf000 | 0x7edaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #60: find.exe
0
0
| Information | Value |
|---|---|
| ID | #60 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:18, Reason: Child Process |
| Unmonitor | End Time: 00:02:19, Reason: Self Terminated |
| Monitor Duration | 00:01:01 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb68 |
| Parent PID | 0xb58 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B74
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00ceffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00cf3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d01fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d03fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d10000 | 0x00d10000 | 0x00d1efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00d9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000da0000 | 0x00da0000 | 0x00da3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000db0000 | 0x00db0000 | 0x00db0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dc1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00dfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00f40000 | 0x00fbdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001050000 | 0x01050000 | 0x0105ffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fsutilext.dll | 0x734f0000 | 0x734fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ulib.dll | 0x73500000 | 0x73520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ece0000 | 0x7ece0000 | 0x7eddffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ede0000 | 0x7ede0000 | 0x7ee02fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ee09000 | 0x7ee09000 | 0x7ee09fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee0c000 | 0x7ee0c000 | 0x7ee0efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee0f000 | 0x7ee0f000 | 0x7ee0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #61: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #61 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:18, Reason: Child Process |
| Unmonitor | End Time: 00:02:19, Reason: Self Terminated |
| Monitor Duration | 00:01:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb84 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B80
0x
B8C
0x
B88
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000b0000 | 0x000b0000 | 0x000cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000bffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000eefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x0012ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00173fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00180fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00191fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x001b0000 | 0x001b2fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001cffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0024dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0028ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0041ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0045ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0049ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f9c0000 | 0x7f9c0000 | 0x7fabffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007fac0000 | 0x7fac0000 | 0x7fae2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007fae3000 | 0x7fae3000 | 0x7fae5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fae6000 | 0x7fae6000 | 0x7fae8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fae9000 | 0x7fae9000 | 0x7fae9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007faea000 | 0x7faea000 | 0x7faeafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007faed000 | 0x7faed000 | 0x7faeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #62: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #62 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:02:21, Reason: Self Terminated |
| Monitor Duration | 00:01:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb94 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000740000 | 0x00740000 | 0x0075ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x0074ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x00753fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x00761fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x00763fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x0077efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x007bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x008bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x008c3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x008d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x008e1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x008f0000 | 0x0096dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00beffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00d7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00d80000 | 0x01054fff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e880000 | 0x7e880000 | 0x7e97ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e980000 | 0x7e980000 | 0x7e9a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e9a4000 | 0x7e9a4000 | 0x7e9a4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e9a6000 | 0x7e9a6000 | 0x7e9a6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e9ad000 | 0x7e9ad000 | 0x7e9affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0xb9c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0xba4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #63: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #63 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:02:22, Reason: Self Terminated |
| Monitor Duration | 00:01:02 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb9c |
| Parent PID | 0xb94 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B98
0x
BC0
0x
BC8
0x
BC4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0033ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x0032ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00333fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00341fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00342fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x0035efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x00401fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00410000 | 0x0048dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00490fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004c3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x004dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x004e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x004f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0056ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x005affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x0062ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0066ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x0079ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x00927fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x00ab0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x01ebffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001ec0000 | 0x01ec0000 | 0x02001fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02010000 | 0x022e4fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000022f0000 | 0x022f0000 | 0x026ebfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000026f0000 | 0x026f0000 | 0x0272ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wmiutils.dll | 0x73350000 | 0x7336afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x73370000 | 0x7341afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x73420000 | 0x7342ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x73430000 | 0x73471fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x73480000 | 0x734e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x734f0000 | 0x734fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007e4bd000 | 0x7e4bd000 | 0x7e4bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007e4c0000 | 0x7e4c0000 | 0x7e5bffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e5c0000 | 0x7e5c0000 | 0x7e5e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e5e3000 | 0x7e5e3000 | 0x7e5e5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e5e6000 | 0x7e5e6000 | 0x7e5e6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e5e7000 | 0x7e5e7000 | 0x7e5e7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e5ea000 | 0x7e5ea000 | 0x7e5ecfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e5ed000 | 0x7e5ed000 | 0x7e5effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #64: find.exe
0
0
| Information | Value |
|---|---|
| ID | #64 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:02:21, Reason: Self Terminated |
| Monitor Duration | 00:01:01 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xba4 |
| Parent PID | 0xb94 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BA0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000880000 | 0x00880000 | 0x0089ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x0088ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x00893fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008a3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x008befff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x0093ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x00943fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x00950fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x00961fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00970000 | 0x009edfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00e5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fsutilext.dll | 0x73340000 | 0x7334efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ulib.dll | 0x73500000 | 0x73520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f070000 | 0x7f070000 | 0x7f16ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f170000 | 0x7f170000 | 0x7f192fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f194000 | 0x7f194000 | 0x7f194fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f19a000 | 0x7f19a000 | 0x7f19cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f19d000 | 0x7f19d000 | 0x7f19dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #65: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #65 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:21, Reason: Child Process |
| Unmonitor | End Time: 00:02:22, Reason: Self Terminated |
| Monitor Duration | 00:01:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbd4 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BD0
0x
BDC
0x
BD8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000650000 | 0x00650000 | 0x0066ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x0065ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x00663fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x00671fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x00672fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x0068efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x006cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x0070ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x00713fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x00720fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x00731fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00740000 | 0x007bdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x0080ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0084ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x00850fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x00860000 | 0x00862fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x008affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008effff | Private Memory | Readable, Writable |
|
|
|
- |
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00b5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ec00000 | 0x7ec00000 | 0x7ecfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ed00000 | 0x7ed00000 | 0x7ed22fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ed24000 | 0x7ed24000 | 0x7ed26fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed27000 | 0x7ed27000 | 0x7ed29fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed2a000 | 0x7ed2a000 | 0x7ed2afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed2c000 | 0x7ed2c000 | 0x7ed2cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed2d000 | 0x7ed2d000 | 0x7ed2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #66: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #66 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:23, Reason: Child Process |
| Unmonitor | End Time: 00:02:23, Reason: Self Terminated |
| Monitor Duration | 00:01:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbe4 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005a0000 | 0x005a0000 | 0x005bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x005affff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005b3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005c3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x005defff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x0061ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0071ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x00723fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x00730fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x00741fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00750000 | 0x007cdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x008effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00b2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00caffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00cb0000 | 0x00f84fff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f170000 | 0x7f170000 | 0x7f26ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f270000 | 0x7f270000 | 0x7f292fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f298000 | 0x7f298000 | 0x7f298fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f29c000 | 0x7f29c000 | 0x7f29efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f29f000 | 0x7f29f000 | 0x7f29ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 92, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0x8dc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0x820, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #67: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #67 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:23, Reason: Child Process |
| Unmonitor | End Time: 00:02:24, Reason: Self Terminated |
| Monitor Duration | 00:01:01 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8dc |
| Parent PID | 0xbe4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
974
0x
BE8
0x
B40
0x
B3C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0086ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x0085ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x00863fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x00871fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x00872fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x0088efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x008cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x0090ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x00913fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00920fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00931fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00940000 | 0x009bdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x009d0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00adffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00ae0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00af0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b03fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b10000 | 0x00b10000 | 0x00b10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000b20000 | 0x00b20000 | 0x00b20fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00baffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00bdffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000be0000 | 0x00be0000 | 0x00d67fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000d70000 | 0x00d70000 | 0x00ef0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000f00000 | 0x00f00000 | 0x022fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002300000 | 0x02300000 | 0x02441fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02450000 | 0x02724fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002730000 | 0x02730000 | 0x02b2bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002b30000 | 0x02b30000 | 0x02b6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002b70000 | 0x02b70000 | 0x02baffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002bb0000 | 0x02bb0000 | 0x02beffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002bf0000 | 0x02bf0000 | 0x02c2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wmiutils.dll | 0x73340000 | 0x7335afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x73370000 | 0x7341afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x73420000 | 0x7342ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x73430000 | 0x73471fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x73480000 | 0x734e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x734f0000 | 0x734fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007ec6d000 | 0x7ec6d000 | 0x7ec6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007ec70000 | 0x7ec70000 | 0x7ed6ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ed70000 | 0x7ed70000 | 0x7ed92fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ed94000 | 0x7ed94000 | 0x7ed94fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed95000 | 0x7ed95000 | 0x7ed97fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed98000 | 0x7ed98000 | 0x7ed9afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed9b000 | 0x7ed9b000 | 0x7ed9dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed9e000 | 0x7ed9e000 | 0x7ed9efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #68: find.exe
0
0
| Information | Value |
|---|---|
| ID | #68 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:23, Reason: Child Process |
| Unmonitor | End Time: 00:02:24, Reason: Self Terminated |
| Monitor Duration | 00:01:01 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x820 |
| Parent PID | 0xbe4 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8D8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000080000 | 0x00080000 | 0x0009ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x0008ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00093fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000a3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000befff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x0013ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00143fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00150fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00161fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0019ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x002cffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x002d0000 | 0x0034dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004fffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fsutilext.dll | 0x73360000 | 0x7336efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ulib.dll | 0x73500000 | 0x73520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f5f0000 | 0x7f5f0000 | 0x7f6effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f712fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f71b000 | 0x7f71b000 | 0x7f71dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f71e000 | 0x7f71e000 | 0x7f71efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f71f000 | 0x7f71f000 | 0x7f71ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #69: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #69 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:23, Reason: Child Process |
| Unmonitor | End Time: 00:02:24, Reason: Self Terminated |
| Monitor Duration | 00:01:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb44 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6A8
0x
6B8
0x
BFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x009bffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009c3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x009d1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x009d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000009e0000 | 0x009e0000 | 0x009eefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x00a2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00a73fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x00a80fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a91fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00aa0000 | 0x00b1dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x00b60fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x00b70000 | 0x00b72fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00b9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00bdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00c1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00ebffff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ee30000 | 0x7ee30000 | 0x7ef2ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ef30000 | 0x7ef30000 | 0x7ef52fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ef55000 | 0x7ef55000 | 0x7ef57fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef58000 | 0x7ef58000 | 0x7ef5afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef5b000 | 0x7ef5b000 | 0x7ef5dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef5e000 | 0x7ef5e000 | 0x7ef5efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef5f000 | 0x7ef5f000 | 0x7ef5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #70: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #70 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Self Terminated |
| Monitor Duration | 00:01:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x770 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5E4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000df0000 | 0x00df0000 | 0x00e0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000df0000 | 0x00df0000 | 0x00dfffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e00000 | 0x00e00000 | 0x00e03fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00e11fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00e13fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e20000 | 0x00e20000 | 0x00e2efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f70000 | 0x00f70000 | 0x00f73fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000f80000 | 0x00f80000 | 0x00f80fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00f91fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x010bffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x010c0000 | 0x0113dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001190000 | 0x01190000 | 0x0119ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001210000 | 0x01210000 | 0x0121ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sortdefault.nls | 0x012e0000 | 0x015b4fff | Memory Mapped File | Readable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ec30000 | 0x7ec30000 | 0x7ed2ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ed30000 | 0x7ed30000 | 0x7ed52fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ed57000 | 0x7ed57000 | 0x7ed57fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed5b000 | 0x7ed5b000 | 0x7ed5bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed5d000 | 0x7ed5d000 | 0x7ed5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0x9a4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0x6b0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #71: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #71 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:27, Reason: Self Terminated |
| Monitor Duration | 00:01:02 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9a4 |
| Parent PID | 0x770 (c:\windows\syswow64\cacls.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
72C
0x
810
0x
BF4
0x
728
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00a0ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a13fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a21fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x00a22fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a30000 | 0x00a30000 | 0x00a3efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00abffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x00ac3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x00ad0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00ae1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00af0000 | 0x00b6dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x00b70fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b80fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00b90fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00ba3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x00bb0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000bc0000 | 0x00bc0000 | 0x00bc0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00bdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00cdffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00e21fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e60000 | 0x00e60000 | 0x00fe7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ff0000 | 0x00ff0000 | 0x01170fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001180000 | 0x01180000 | 0x0257ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02580000 | 0x02854fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002860000 | 0x02860000 | 0x02c5bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002c60000 | 0x02c60000 | 0x02c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002ca0000 | 0x02ca0000 | 0x02cdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002ce0000 | 0x02ce0000 | 0x02d1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002d20000 | 0x02d20000 | 0x02d5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002d60000 | 0x02d60000 | 0x02d9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002da0000 | 0x02da0000 | 0x02ddffff | Private Memory | Readable, Writable |
|
|
|
- |
| fastprox.dll | 0x73360000 | 0x7340afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x73410000 | 0x7341ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x73420000 | 0x73461fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x73470000 | 0x734d0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x734e0000 | 0x734ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007efdd000 | 0x7efdd000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f0e0000 | 0x7f0e0000 | 0x7f102fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f103000 | 0x7f103000 | 0x7f105fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f106000 | 0x7f106000 | 0x7f106fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f109000 | 0x7f109000 | 0x7f109fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f10a000 | 0x7f10a000 | 0x7f10cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f10d000 | 0x7f10d000 | 0x7f10ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #72: find.exe
0
0
| Information | Value |
|---|---|
| ID | #72 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:27, Reason: Self Terminated |
| Monitor Duration | 00:01:02 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6b0 |
| Parent PID | 0x770 (c:\windows\syswow64\cacls.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5F8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00abffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x00aaffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00ab3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00ac1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00ac3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x00adefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00b1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x00b63fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x00b70fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b81fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00beffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00bf0000 | 0x00c6dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00ccffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00e2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fsutilext.dll | 0x734f0000 | 0x734fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ulib.dll | 0x73500000 | 0x73520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f300000 | 0x7f300000 | 0x7f3fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f400000 | 0x7f400000 | 0x7f422fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f42a000 | 0x7f42a000 | 0x7f42cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f42d000 | 0x7f42d000 | 0x7f42dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f42f000 | 0x7f42f000 | 0x7f42ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #73: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #73 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:26, Reason: Child Process |
| Unmonitor | End Time: 00:02:27, Reason: Self Terminated |
| Monitor Duration | 00:01:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9c0 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9B4
0x
4CC
0x
940
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000120000 | 0x00120000 | 0x0013ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x0012ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x00133fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00141fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00142fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x0015efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0019ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x00201fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00210fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x00220000 | 0x00222fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0032ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00330000 | 0x003adfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0047ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005affff | Private Memory | Readable, Writable |
|
|
|
- |
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007f4ed000 | 0x7f4ed000 | 0x7f4effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007f4f0000 | 0x7f4f0000 | 0x7f5effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f5f0000 | 0x7f5f0000 | 0x7f612fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f615000 | 0x7f615000 | 0x7f615fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f618000 | 0x7f618000 | 0x7f618fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f61a000 | 0x7f61a000 | 0x7f61cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f61d000 | 0x7f61d000 | 0x7f61ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #74: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #74 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:28, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8c8 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
464
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a70000 | 0x00a70000 | 0x00a8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00a7ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a91fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a93fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x00aaefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00aeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00beffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000bf0000 | 0x00bf0000 | 0x00bf3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000c00000 | 0x00c00000 | 0x00c00fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c11fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00c20000 | 0x00c9dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00ca3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00f70000 | 0x01244fff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ee90000 | 0x7ee90000 | 0x7ef8ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ef90000 | 0x7ef90000 | 0x7efb2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efb4000 | 0x7efb4000 | 0x7efb4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efbc000 | 0x7efbc000 | 0x7efbcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efbd000 | 0x7efbd000 | 0x7efbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0x40c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0x308, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #75: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #75 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:28, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:00 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x40c |
| Parent PID | 0x8c8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
454
0x
3EC
0x
518
0x
3C8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x0089ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x0088ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x00893fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x008a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x008befff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x0093ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x00943fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x00950fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x00961fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x00a6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00a70000 | 0x00aedfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x00af0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b00fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b10fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b23fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x00b30fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000b40000 | 0x00b40000 | 0x00b40fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00bdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00c3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c40000 | 0x00c40000 | 0x00dc7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000dd0000 | 0x00dd0000 | 0x00f50fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000f60000 | 0x00f60000 | 0x0235ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002360000 | 0x02360000 | 0x024a1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x024b0000 | 0x02784fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002790000 | 0x02790000 | 0x02b8bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| winsta.dll | 0x73420000 | 0x73461fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x73470000 | 0x734d0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x734e0000 | 0x734ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007fc50000 | 0x7fc50000 | 0x7fd4ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007fd50000 | 0x7fd50000 | 0x7fd72fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007fd76000 | 0x7fd76000 | 0x7fd78fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fd79000 | 0x7fd79000 | 0x7fd79fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fd7a000 | 0x7fd7a000 | 0x7fd7afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fd7d000 | 0x7fd7d000 | 0x7fd7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #76: find.exe
0
0
| Information | Value |
|---|---|
| ID | #76 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:28, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:00 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x308 |
| Parent PID | 0x8c8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3D8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000006b0000 | 0x006b0000 | 0x006cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006d1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x006eefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x0072ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0076ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00773fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00780fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x00791fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0083ffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f920000 | 0x7f920000 | 0x7f942fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f949000 | 0x7f949000 | 0x7f949fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f94b000 | 0x7f94b000 | 0x7f94bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f94d000 | 0x7f94d000 | 0x7f94ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #77: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #77 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:28, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5e8 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
988
0x
2A4
0x
664
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x009affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000990000 | 0x00990000 | 0x0099ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009a3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x009b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000009c0000 | 0x009c0000 | 0x009cefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x00a0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a50000 | 0x00a50000 | 0x00a53fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x00a60fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00a71fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00abffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x00ac0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00bcffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00bd0000 | 0x00c4dfff | Memory Mapped File | Readable |
|
|
|
- |
| ping.exe.mui | 0x00c50000 | 0x00c52fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00caffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00ccffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00d0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007edf0000 | 0x7edf0000 | 0x7eeeffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007eef0000 | 0x7eef0000 | 0x7ef12fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ef13000 | 0x7ef13000 | 0x7ef15fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef16000 | 0x7ef16000 | 0x7ef18fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef19000 | 0x7ef19000 | 0x7ef1bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef1c000 | 0x7ef1c000 | 0x7ef1cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef1f000 | 0x7ef1f000 | 0x7ef1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #78: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #78 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:57 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8e8 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
884
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000f10000 | 0x00f10000 | 0x00f2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f10000 | 0x00f10000 | 0x00f1ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x00f23fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00f31fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00f33fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f40000 | 0x00f40000 | 0x00f4efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00f8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x0108ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001090000 | 0x01090000 | 0x01093fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000010a0000 | 0x010a0000 | 0x010a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000010b0000 | 0x010b0000 | 0x010b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x010c0000 | 0x0113dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000011a0000 | 0x011a0000 | 0x011affff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001410000 | 0x01410000 | 0x0150ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000016f0000 | 0x016f0000 | 0x016fffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x01700000 | 0x019d4fff | Memory Mapped File | Readable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e2f0000 | 0x7e2f0000 | 0x7e3effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e3f0000 | 0x7e3f0000 | 0x7e412fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e413000 | 0x7e413000 | 0x7e413fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e414000 | 0x7e414000 | 0x7e414fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e41d000 | 0x7e41d000 | 0x7e41ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0x81c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0x898, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #79: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #79 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:57 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x81c |
| Parent PID | 0x8e8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
444
0x
BBC
0x
BAC
0x
BB0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00edffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ec0000 | 0x00ec0000 | 0x00ecffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00ed3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00ee1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ee0000 | 0x00ee0000 | 0x00ee2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ef0000 | 0x00ef0000 | 0x00efefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f80000 | 0x00f80000 | 0x00f83fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000f90000 | 0x00f90000 | 0x00f90fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fa1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00fb0000 | 0x0102dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000001030000 | 0x01030000 | 0x01030fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x01040fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001050000 | 0x01050000 | 0x01050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001060000 | 0x01060000 | 0x01063fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001070000 | 0x01070000 | 0x0107ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001080000 | 0x01080000 | 0x01080fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001090000 | 0x01090000 | 0x01090fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000010a0000 | 0x010a0000 | 0x010dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000010e0000 | 0x010e0000 | 0x0111ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000011b0000 | 0x011b0000 | 0x011bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000011e0000 | 0x011e0000 | 0x012dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000012e0000 | 0x012e0000 | 0x01467fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001470000 | 0x01470000 | 0x015f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001600000 | 0x01600000 | 0x029fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002a00000 | 0x02a00000 | 0x02b41fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02b50000 | 0x02e24fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002e30000 | 0x02e30000 | 0x0322bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| winsta.dll | 0x73420000 | 0x73461fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x73470000 | 0x734d0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x734e0000 | 0x734ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e700000 | 0x7e700000 | 0x7e7fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e800000 | 0x7e800000 | 0x7e822fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e825000 | 0x7e825000 | 0x7e827fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e828000 | 0x7e828000 | 0x7e828fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e82c000 | 0x7e82c000 | 0x7e82cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e82d000 | 0x7e82d000 | 0x7e82ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #80: find.exe
0
0
| Information | Value |
|---|---|
| ID | #80 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:57 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x898 |
| Parent PID | 0x8e8 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8E4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000410000 | 0x00410000 | 0x0042ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x00431fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x0044efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0048ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x004cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x004d3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x004e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004f1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x0059ffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f430000 | 0x7f430000 | 0x7f452fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f45a000 | 0x7f45a000 | 0x7f45afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f45c000 | 0x7f45c000 | 0x7f45efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f45f000 | 0x7f45f000 | 0x7f45ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #81: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #81 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:57 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbb4 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BCC
0x
BB8
0x
BA8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000008f0000 | 0x008f0000 | 0x0090ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x008fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x00903fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x00911fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x00912fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x0092efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x00933fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0098ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x009cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x009d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x009e1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x009f0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x00a00000 | 0x00a02fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00b0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00b20000 | 0x00b9dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00bdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00c1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007e3cd000 | 0x7e3cd000 | 0x7e3cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007e3d0000 | 0x7e3d0000 | 0x7e4cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e4d0000 | 0x7e4d0000 | 0x7e4f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e4f5000 | 0x7e4f5000 | 0x7e4f5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e4f8000 | 0x7e4f8000 | 0x7e4fafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e4fb000 | 0x7e4fb000 | 0x7e4fdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e4fe000 | 0x7e4fe000 | 0x7e4fefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #82: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #82 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:33, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x934 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
938
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000d90000 | 0x00d90000 | 0x00daffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d90000 | 0x00d90000 | 0x00d9ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00daffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00db1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00db3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000dc0000 | 0x00dc0000 | 0x00dcefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00e0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00f0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f10000 | 0x00f10000 | 0x00f13fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000f20000 | 0x00f20000 | 0x00f20fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00f31fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00f40000 | 0x00fbdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fc3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000010a0000 | 0x010a0000 | 0x010affff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000013e0000 | 0x013e0000 | 0x014dffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x014e0000 | 0x017b4fff | Memory Mapped File | Readable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f0b0000 | 0x7f0b0000 | 0x7f1affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f1b0000 | 0x7f1b0000 | 0x7f1d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f1d7000 | 0x7f1d7000 | 0x7f1d7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f1d8000 | 0x7f1d8000 | 0x7f1d8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f1dd000 | 0x7f1dd000 | 0x7f1dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0x928, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0x4f0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #83: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #83 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:33, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x928 |
| Parent PID | 0x934 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
93C
0x
840
0x
9E0
0x
BF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00aeffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x00adffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00ae3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00af1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x00af2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000b00000 | 0x00b00000 | 0x00b0efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b90000 | 0x00b90000 | 0x00b93fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x00ba0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00bb1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00bc0000 | 0x00c3dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000c40000 | 0x00c40000 | 0x00c40fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c50fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c60fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00c73fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c80000 | 0x00c80000 | 0x00c80fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000c90000 | 0x00c90000 | 0x00c90fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00cdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00d0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00dbffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000dc0000 | 0x00dc0000 | 0x00f01fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x0101ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001020000 | 0x01020000 | 0x011a7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000011b0000 | 0x011b0000 | 0x01330fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001340000 | 0x01340000 | 0x0273ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02740000 | 0x02a14fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002a20000 | 0x02a20000 | 0x02e1bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002e20000 | 0x02e20000 | 0x02e5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002e60000 | 0x02e60000 | 0x02e9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002ea0000 | 0x02ea0000 | 0x02edffff | Private Memory | Readable, Writable |
|
|
|
- |
| fastprox.dll | 0x73370000 | 0x7341afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x73420000 | 0x7342ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x73430000 | 0x73471fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x73480000 | 0x734e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x734f0000 | 0x734fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007f07d000 | 0x7f07d000 | 0x7f07ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007f080000 | 0x7f080000 | 0x7f17ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f180000 | 0x7f180000 | 0x7f1a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f1a4000 | 0x7f1a4000 | 0x7f1a4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f1a5000 | 0x7f1a5000 | 0x7f1a5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f1a7000 | 0x7f1a7000 | 0x7f1a9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f1aa000 | 0x7f1aa000 | 0x7f1acfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f1ad000 | 0x7f1ad000 | 0x7f1affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #84: find.exe
0
0
| Information | Value |
|---|---|
| ID | #84 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:33, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4f0 |
| Parent PID | 0x934 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9E4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000320000 | 0x00320000 | 0x0033ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x0032ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00333fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00341fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00343fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x0035efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x00401fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00410000 | 0x0048dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0057ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0085ffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fsutilext.dll | 0x73360000 | 0x7336efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ulib.dll | 0x73500000 | 0x73520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e710000 | 0x7e710000 | 0x7e80ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e810000 | 0x7e810000 | 0x7e832fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e838000 | 0x7e838000 | 0x7e838fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e83c000 | 0x7e83c000 | 0x7e83cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e83d000 | 0x7e83d000 | 0x7e83ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #85: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #85 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:34, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:54 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x860 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
848
0x
888
0x
278
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000670000 | 0x00670000 | 0x0068ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x0067ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x00683fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x00691fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0069ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x006aefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x0072ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x00733fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x00740fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x00751fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00760000 | 0x007ddfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x0081ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0085ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0086ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x00872fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x00880fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x00890000 | 0x00892fff | Memory Mapped File | Readable |
|
|
|
- |
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00c0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e8d0000 | 0x7e8d0000 | 0x7e9cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e9d0000 | 0x7e9d0000 | 0x7e9f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e9f4000 | 0x7e9f4000 | 0x7e9f4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e9f9000 | 0x7e9f9000 | 0x7e9fbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e9fc000 | 0x7e9fc000 | 0x7e9fefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e9ff000 | 0x7e9ff000 | 0x7e9fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #86: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #86 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:52 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x648 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
644
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000300000 | 0x00300000 | 0x0031ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000300000 | 0x00300000 | 0x0030ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00313fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x00321fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x00323fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x0033efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0047ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00483fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00490fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x004b0000 | 0x0052dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0071ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x0089ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x008a0000 | 0x00b74fff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ebb0000 | 0x7ebb0000 | 0x7ecaffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ecb0000 | 0x7ecb0000 | 0x7ecd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ecdb000 | 0x7ecdb000 | 0x7ecddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ecde000 | 0x7ecde000 | 0x7ecdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ecdf000 | 0x7ecdf000 | 0x7ecdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0x870, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0x878, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #87: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #87 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:52 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x870 |
| Parent PID | 0x648 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
880
0x
7BC
0x
A38
0x
A28
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000cffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000fefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x0013ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0017ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00183fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00190fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x001b0000 | 0x0022dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0064ffff | Private Memory | Readable, Writable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ec90000 | 0x7ec90000 | 0x7ed8ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ed90000 | 0x7ed90000 | 0x7edb2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007edb7000 | 0x7edb7000 | 0x7edb9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edba000 | 0x7edba000 | 0x7edbafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edbd000 | 0x7edbd000 | 0x7edbdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #88: find.exe
0
0
| Information | Value |
|---|---|
| ID | #88 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:52 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x878 |
| Parent PID | 0x648 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A18
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000820000 | 0x00820000 | 0x0083ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x00841fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x0085efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0089ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x008e3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x008f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x00901fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009affff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f460000 | 0x7f460000 | 0x7f482fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f48a000 | 0x7f48a000 | 0x7f48cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f48d000 | 0x7f48d000 | 0x7f48dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f48f000 | 0x7f48f000 | 0x7f48ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #89: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #89 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:52 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4c8 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4D8
0x
9DC
0x
408
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00ebffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x00eaffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00eb3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00ec1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ec0000 | 0x00ec0000 | 0x00ec2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ed0000 | 0x00ed0000 | 0x00edefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00f1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x00f5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f60000 | 0x00f60000 | 0x00f63fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000f70000 | 0x00f70000 | 0x00f70fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00f81fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00f90000 | 0x0100dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0101ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x0111ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001120000 | 0x01120000 | 0x01120fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x01130000 | 0x01132fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001140000 | 0x01140000 | 0x0114ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001150000 | 0x01150000 | 0x0118ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001190000 | 0x01190000 | 0x011cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000011d0000 | 0x011d0000 | 0x0120ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001210000 | 0x01210000 | 0x0124ffff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ec70000 | 0x7ec70000 | 0x7ed6ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ed70000 | 0x7ed70000 | 0x7ed92fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ed95000 | 0x7ed95000 | 0x7ed97fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed98000 | 0x7ed98000 | 0x7ed9afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed9b000 | 0x7ed9b000 | 0x7ed9bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed9c000 | 0x7ed9c000 | 0x7ed9efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed9f000 | 0x7ed9f000 | 0x7ed9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #90: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #90 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:38, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:50 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa98 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A88
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000440000 | 0x00440000 | 0x0045ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x0044ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x00453fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x00461fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x00463fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x0047efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x004bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x005bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x005c3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x005d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005e1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x005f0000 | 0x0066dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x007fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x0088ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00890000 | 0x00b64fff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f8b0000 | 0x7f8b0000 | 0x7f9affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f9b0000 | 0x7f9b0000 | 0x7f9d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f9d9000 | 0x7f9d9000 | 0x7f9d9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f9dc000 | 0x7f9dc000 | 0x7f9dcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f9dd000 | 0x7f9dd000 | 0x7f9dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0xac8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0xae8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #91: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #91 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:38, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:50 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xac8 |
| Parent PID | 0xa98 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AD8
0x
954
0x
B38
0x
8A0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e60000 | 0x00e60000 | 0x00e6ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00e73fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00e81fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e80000 | 0x00e80000 | 0x00e82fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000e90000 | 0x00e90000 | 0x00e9efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00edffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00f1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f20000 | 0x00f20000 | 0x00f23fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000f30000 | 0x00f30000 | 0x00f30fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f41fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f50000 | 0x00f50000 | 0x00f50fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f60fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00f70fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00f83fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f90000 | 0x00f90000 | 0x00f90fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000fa0000 | 0x00fa0000 | 0x00fa0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fcffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00fd0000 | 0x0104dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001050000 | 0x01050000 | 0x0108ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001090000 | 0x01090000 | 0x010cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000010d0000 | 0x010d0000 | 0x0110ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001120000 | 0x01120000 | 0x0121ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001220000 | 0x01220000 | 0x0125ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001260000 | 0x01260000 | 0x0129ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000012a0000 | 0x012a0000 | 0x012dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001320000 | 0x01320000 | 0x0132ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001330000 | 0x01330000 | 0x014b7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000014c0000 | 0x014c0000 | 0x01640fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001650000 | 0x01650000 | 0x02a4ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002a50000 | 0x02a50000 | 0x02b91fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02ba0000 | 0x02e74fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002e80000 | 0x02e80000 | 0x0327bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| fastprox.dll | 0x73360000 | 0x7340afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x73410000 | 0x7341ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x73420000 | 0x73461fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x73470000 | 0x734d0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x734e0000 | 0x734ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007f3ad000 | 0x7f3ad000 | 0x7f3affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007f3b0000 | 0x7f3b0000 | 0x7f4affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f4b0000 | 0x7f4b0000 | 0x7f4d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f4d4000 | 0x7f4d4000 | 0x7f4d4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4d6000 | 0x7f4d6000 | 0x7f4d6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4d7000 | 0x7f4d7000 | 0x7f4d9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4da000 | 0x7f4da000 | 0x7f4dcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4dd000 | 0x7f4dd000 | 0x7f4dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #92: find.exe
0
0
| Information | Value |
|---|---|
| ID | #92 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:38, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:50 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xae8 |
| Parent PID | 0xa98 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B20
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000120000 | 0x00120000 | 0x0013ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x0012ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x00133fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00141fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00143fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x0015efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0019ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x00201fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00210000 | 0x0028dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0067ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0082ffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fsutilext.dll | 0x734f0000 | 0x734fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ulib.dll | 0x73500000 | 0x73520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f8e0000 | 0x7f8e0000 | 0x7f9dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f9e0000 | 0x7f9e0000 | 0x7fa02fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007fa0b000 | 0x7fa0b000 | 0x7fa0dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fa0e000 | 0x7fa0e000 | 0x7fa0efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fa0f000 | 0x7fa0f000 | 0x7fa0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #93: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #93 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:39, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:49 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xaa8 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4C0
0x
604
0x
21C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000780000 | 0x00780000 | 0x0079ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x0078ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x00793fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x007a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x007befff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0083ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x00843fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x00850fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x00861fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00870000 | 0x008edfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x0092ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x00930fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0098ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x00990000 | 0x00992fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00a1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00acffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00e0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eeb0000 | 0x7eeb0000 | 0x7efaffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #94: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #94 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:41, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:47 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x824 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
84C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000720000 | 0x00720000 | 0x0073ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x0072ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x00733fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x00741fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x00743fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x0075efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0079ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x0089ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x008a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x008b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x008d0000 | 0x0094dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x0099ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00c80000 | 0x00f54fff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f990000 | 0x7f990000 | 0x7fa8ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007fa90000 | 0x7fa90000 | 0x7fab2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007fab4000 | 0x7fab4000 | 0x7fab4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fab8000 | 0x7fab8000 | 0x7fab8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fabd000 | 0x7fabd000 | 0x7fabffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 188, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0x474, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0x838, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #95: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #95 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:41, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:47 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x474 |
| Parent PID | 0x824 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
830
0x
B34
0x
96C
0x
AF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00d9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x00d8ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00d93fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00da1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000da0000 | 0x00da0000 | 0x00da2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000db0000 | 0x00db0000 | 0x00dbefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e00000 | 0x00e00000 | 0x00e3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e40000 | 0x00e40000 | 0x00e43fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000e50000 | 0x00e50000 | 0x00e50fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e61fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00e70000 | 0x00eedfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00feffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ff0000 | 0x00ff0000 | 0x00ff0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x01000fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0101ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x01020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001030000 | 0x01030000 | 0x01033fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001040000 | 0x01040000 | 0x01040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x01050fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001090000 | 0x01090000 | 0x0109ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000010a0000 | 0x010a0000 | 0x01227fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x013b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000013c0000 | 0x013c0000 | 0x027bffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000027c0000 | 0x027c0000 | 0x02901fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02910000 | 0x02be4fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002bf0000 | 0x02bf0000 | 0x02febfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002ff0000 | 0x02ff0000 | 0x0302ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003030000 | 0x03030000 | 0x0306ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003070000 | 0x03070000 | 0x030affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000030b0000 | 0x030b0000 | 0x030effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000030f0000 | 0x030f0000 | 0x0312ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003130000 | 0x03130000 | 0x0316ffff | Private Memory | Readable, Writable |
|
|
|
- |
| fastprox.dll | 0x73370000 | 0x7341afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x73420000 | 0x7342ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x73430000 | 0x73471fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x73480000 | 0x734e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x734f0000 | 0x734fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007f0fd000 | 0x7f0fd000 | 0x7f0fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007f100000 | 0x7f100000 | 0x7f1fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f200000 | 0x7f200000 | 0x7f222fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f223000 | 0x7f223000 | 0x7f223fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f224000 | 0x7f224000 | 0x7f224fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f227000 | 0x7f227000 | 0x7f229fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f22a000 | 0x7f22a000 | 0x7f22cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f22d000 | 0x7f22d000 | 0x7f22ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #96: find.exe
0
0
| Information | Value |
|---|---|
| ID | #96 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:41, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:47 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x838 |
| Parent PID | 0x824 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B08
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000009a0000 | 0x009a0000 | 0x009bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x009affff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009b3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009c3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x009defff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00a1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x00a63fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00a70fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a81fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00a90000 | 0x00b0dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00beffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00d9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fsutilext.dll | 0x73360000 | 0x7336efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ulib.dll | 0x73500000 | 0x73520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6b0000 | 0x7f6b0000 | 0x7f7affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f7b0000 | 0x7f7b0000 | 0x7f7d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f7db000 | 0x7f7db000 | 0x7f7dbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f7dc000 | 0x7f7dc000 | 0x7f7dcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f7dd000 | 0x7f7dd000 | 0x7f7dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #97: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #97 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:41, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:47 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x37c |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
750
0x
53C
0x
A1C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000006d0000 | 0x006d0000 | 0x006effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x006dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006e3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006f1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x006f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x0070efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0074ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0078ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x00793fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x007a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x007c0000 | 0x0083dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0087ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x00880fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x00890000 | 0x00892fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x0093ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0098ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x009fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00b1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efd0000 | 0x7efd0000 | 0x7f0cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f0d0000 | 0x7f0d0000 | 0x7f0f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0f3000 | 0x7f0f3000 | 0x7f0f3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0f5000 | 0x7f0f5000 | 0x7f0f5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0f7000 | 0x7f0f7000 | 0x7f0f9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0fa000 | 0x7f0fa000 | 0x7f0fcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0fd000 | 0x7f0fd000 | 0x7f0fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #98: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #98 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:44, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:44 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6c8 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2F8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000b10000 | 0x00b10000 | 0x00b2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b10000 | 0x00b10000 | 0x00b1ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b23fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b31fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b33fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b40000 | 0x00b40000 | 0x00b4efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00c8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c90000 | 0x00c90000 | 0x00c93fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ca0000 | 0x00ca0000 | 0x00ca0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00cb1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00ceffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00cf0000 | 0x00d6dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00f0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x00feffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sortdefault.nls | 0x012e0000 | 0x015b4fff | Memory Mapped File | Readable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ee60000 | 0x7ee60000 | 0x7ef5ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ef60000 | 0x7ef60000 | 0x7ef82fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ef89000 | 0x7ef89000 | 0x7ef8bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef8c000 | 0x7ef8c000 | 0x7ef8cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef8e000 | 0x7ef8e000 | 0x7ef8efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 12, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0x8f4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0x780, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #99: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #99 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:44, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:44 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8f4 |
| Parent PID | 0x6c8 (c:\windows\syswow64\attrib.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
610
0x
550
0x
5C4
0x
814
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0044ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x0043ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x00443fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x00451fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00452fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x0046efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x004affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x004f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00500fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x00511fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00520000 | 0x0059dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x005a0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005e3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x005f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00600fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0064ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0068ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x007fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x00941fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x0098ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000990000 | 0x00990000 | 0x00b17fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000b20000 | 0x00b20000 | 0x00ca0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000cb0000 | 0x00cb0000 | 0x020affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x020b0000 | 0x02384fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002390000 | 0x02390000 | 0x0278bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| winsta.dll | 0x73430000 | 0x73471fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x73480000 | 0x734e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x734f0000 | 0x734fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ecb0000 | 0x7ecb0000 | 0x7edaffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007edb0000 | 0x7edb0000 | 0x7edd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007edd6000 | 0x7edd6000 | 0x7edd8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edd9000 | 0x7edd9000 | 0x7edd9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eddc000 | 0x7eddc000 | 0x7eddefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eddf000 | 0x7eddf000 | 0x7eddffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #100: find.exe
0
0
| Information | Value |
|---|---|
| ID | #100 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:44, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:44 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x780 |
| Parent PID | 0x6c8 (c:\windows\syswow64\attrib.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
47C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000006c0000 | 0x006c0000 | 0x006dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006e1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x006fefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x0073ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0077ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00783fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x00790fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x0089ffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ec20000 | 0x7ec20000 | 0x7ec42fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ec48000 | 0x7ec48000 | 0x7ec48fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec4c000 | 0x7ec4c000 | 0x7ec4cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec4d000 | 0x7ec4d000 | 0x7ec4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #101: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #101 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:44, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:44 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x804 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
260
0x
63C
0x
2A0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000004f0000 | 0x004f0000 | 0x0050ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x004fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x00503fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x00511fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00512fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x0052efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0056ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x005affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x005b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x005c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005d1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x005e0000 | 0x0065dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x00660fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x0067ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x00680000 | 0x00682fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x006affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x0072ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0076ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x007affff | Private Memory | Readable, Writable |
|
|
|
- |
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00c2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ee40000 | 0x7ee40000 | 0x7ef3ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ef40000 | 0x7ef40000 | 0x7ef62fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ef64000 | 0x7ef64000 | 0x7ef66fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef67000 | 0x7ef67000 | 0x7ef67fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef69000 | 0x7ef69000 | 0x7ef6bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef6c000 | 0x7ef6c000 | 0x7ef6efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef6f000 | 0x7ef6f000 | 0x7ef6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #102: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #102 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:46, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:42 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x80c |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
858
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000009f0000 | 0x009f0000 | 0x00a0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x009fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a03fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a11fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a13fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x00a2efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00b6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x00b73fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x00b80fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00b91fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00ba0000 | 0x00c1dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00f9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00fa0000 | 0x01274fff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e140000 | 0x7e140000 | 0x7e23ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e240000 | 0x7e240000 | 0x7e262fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e265000 | 0x7e265000 | 0x7e265fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e267000 | 0x7e267000 | 0x7e267fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e26d000 | 0x7e26d000 | 0x7e26ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 28, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0x834, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0x83c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #103: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #103 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:46, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:42 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x834 |
| Parent PID | 0x80c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4C4
0x
120
0x
528
0x
75C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x0024ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00253fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00261fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00262fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x0027efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000300000 | 0x00300000 | 0x00303fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00310fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x00321fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x00330fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00340fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00350fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0036ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00370000 | 0x003edfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00400fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00410fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0054ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0058ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x005cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x00767fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x008f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x01cfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001d00000 | 0x01d00000 | 0x01e41fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01e50000 | 0x02124fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002130000 | 0x02130000 | 0x0252bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002530000 | 0x02530000 | 0x0256ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002570000 | 0x02570000 | 0x025affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000025b0000 | 0x025b0000 | 0x025effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000025f0000 | 0x025f0000 | 0x0262ffff | Private Memory | Readable, Writable |
|
|
|
- |
| fastprox.dll | 0x73360000 | 0x7340afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x73410000 | 0x7341ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x73420000 | 0x73461fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x73470000 | 0x734d0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x734e0000 | 0x734ebfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007e4ed000 | 0x7e4ed000 | 0x7e4effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007e4f0000 | 0x7e4f0000 | 0x7e5effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e5f0000 | 0x7e5f0000 | 0x7e612fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e615000 | 0x7e615000 | 0x7e615fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e616000 | 0x7e616000 | 0x7e616fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e617000 | 0x7e617000 | 0x7e619fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e61a000 | 0x7e61a000 | 0x7e61cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e61d000 | 0x7e61d000 | 0x7e61ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #104: find.exe
0
0
| Information | Value |
|---|---|
| ID | #104 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:46, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:42 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x83c |
| Parent PID | 0x80c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
914
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000f50000 | 0x00f50000 | 0x00f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f50000 | 0x00f50000 | 0x00f5ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f63fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00f71fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00f73fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f80000 | 0x00f80000 | 0x00f8efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00fcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x0100ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001010000 | 0x01010000 | 0x01013fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001020000 | 0x01020000 | 0x01020fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001030000 | 0x01030000 | 0x01031fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x01040000 | 0x010bdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001100000 | 0x01100000 | 0x0110ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001130000 | 0x01130000 | 0x0113ffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000011e0000 | 0x011e0000 | 0x012dffff | Private Memory | Readable, Writable |
|
|
|
- |
| fsutilext.dll | 0x734f0000 | 0x734fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ulib.dll | 0x73500000 | 0x73520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f410000 | 0x7f410000 | 0x7f50ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f510000 | 0x7f510000 | 0x7f532fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f534000 | 0x7f534000 | 0x7f534fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f53c000 | 0x7f53c000 | 0x7f53efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f53f000 | 0x7f53f000 | 0x7f53ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #105: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #105 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:47, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:41 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x12c |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
168
0x
8B4
0x
968
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d50000 | 0x00d50000 | 0x00d5ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00d63fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00d71fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d70000 | 0x00d70000 | 0x00d72fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x00d8efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00dcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00e0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e10000 | 0x00e10000 | 0x00e13fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000e20000 | 0x00e20000 | 0x00e20fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e31fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00e40000 | 0x00ebdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00efffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f40000 | 0x00f40000 | 0x00f40fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x00f50000 | 0x00f52fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00f8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00fcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x0100ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001050000 | 0x01050000 | 0x0114ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000012e0000 | 0x012e0000 | 0x012effff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ed40000 | 0x7ed40000 | 0x7ee3ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ee40000 | 0x7ee40000 | 0x7ee62fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ee64000 | 0x7ee64000 | 0x7ee64fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee66000 | 0x7ee66000 | 0x7ee68fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee69000 | 0x7ee69000 | 0x7ee6bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee6c000 | 0x7ee6c000 | 0x7ee6efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee6f000 | 0x7ee6f000 | 0x7ee6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #106: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #106 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:49, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:39 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x404 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
580
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007d0000 | 0x007d0000 | 0x007effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007e3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007f1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007f3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x0080efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0084ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0094ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x00953fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x00960fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x00971fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009a0000 | 0x009a0000 | 0x009affff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x009b0000 | 0x00a2dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00c1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00c20000 | 0x00ef4fff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eec0000 | 0x7eec0000 | 0x7efbffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007efc0000 | 0x7efc0000 | 0x7efe2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007efe9000 | 0x7efe9000 | 0x7efebfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efec000 | 0x7efec000 | 0x7efecfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007efef000 | 0x7efef000 | 0x7efeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 178, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0x77c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0x4e0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #107: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #107 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:49, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:39 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x77c |
| Parent PID | 0x404 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
32C
0x
434
0x
4EC
0x
8C4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0076ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x0075ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x00763fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x00771fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x00772fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x0078efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x007cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x0080ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00813fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x00820fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x00831fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x00840fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x00850fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x00860fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x00873fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x0088ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x00890fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x008a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x009affff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x009b0000 | 0x00a2dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a70000 | 0x00a70000 | 0x00aaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00aeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00b2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b50000 | 0x00b50000 | 0x00cd7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00e60fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000e70000 | 0x00e70000 | 0x0226ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002270000 | 0x02270000 | 0x023b1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x023c0000 | 0x02694fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000026a0000 | 0x026a0000 | 0x02a9bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002aa0000 | 0x02aa0000 | 0x02adffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002ae0000 | 0x02ae0000 | 0x02b1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wmiutils.dll | 0x73350000 | 0x7336afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x73370000 | 0x7341afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x73420000 | 0x7342ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x73430000 | 0x73471fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x73480000 | 0x734e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x734f0000 | 0x734fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007ecca000 | 0x7ecca000 | 0x7ecccfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eccd000 | 0x7eccd000 | 0x7eccffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007ecd0000 | 0x7ecd0000 | 0x7edcffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007edd0000 | 0x7edd0000 | 0x7edf2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007edf5000 | 0x7edf5000 | 0x7edf5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edf9000 | 0x7edf9000 | 0x7edf9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edfa000 | 0x7edfa000 | 0x7edfcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edfd000 | 0x7edfd000 | 0x7edfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #108: find.exe
0
0
| Information | Value |
|---|---|
| ID | #108 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:49, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:39 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4e0 |
| Parent PID | 0x404 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4E4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000009c0000 | 0x009c0000 | 0x009dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000009c0000 | 0x009c0000 | 0x009cffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x009d3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x009e1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x009e3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x009fefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x00a83fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x00a90fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000aa0000 | 0x00aa0000 | 0x00aa1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00ab0000 | 0x00b2dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00d3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fsutilext.dll | 0x73340000 | 0x7334efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ulib.dll | 0x73500000 | 0x73520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f0e0000 | 0x7f0e0000 | 0x7f102fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f105000 | 0x7f105000 | 0x7f105fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f10c000 | 0x7f10c000 | 0x7f10efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f10f000 | 0x7f10f000 | 0x7f10ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #109: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #109 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:49, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:39 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4e8 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
5A0
0x
8A4
0x
95C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d10000 | 0x00d10000 | 0x00d1ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d23fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d31fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d30000 | 0x00d30000 | 0x00d32fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000d40000 | 0x00d40000 | 0x00d4efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00dcffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000dd0000 | 0x00dd0000 | 0x00dd3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000de0000 | 0x00de0000 | 0x00de0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00df1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00e00000 | 0x00e7dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00ebffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ec0000 | 0x00ec0000 | 0x00ec0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00edffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00f1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x00f20000 | 0x00f22fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00f9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000010b0000 | 0x010b0000 | 0x011affff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ece0000 | 0x7ece0000 | 0x7eddffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ede0000 | 0x7ede0000 | 0x7ee02fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ee05000 | 0x7ee05000 | 0x7ee07fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee08000 | 0x7ee08000 | 0x7ee0afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee0b000 | 0x7ee0b000 | 0x7ee0dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee0e000 | 0x7ee0e000 | 0x7ee0efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee0f000 | 0x7ee0f000 | 0x7ee0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #110: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #110 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:51, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:37 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9b0 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
71C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000550000 | 0x00550000 | 0x0056ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x0055ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0056ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x00571fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x00573fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x0058efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x005cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x006d3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x006e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006f1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00700000 | 0x0077dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x00783fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x007dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0091ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00920000 | 0x00bf4fff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e980000 | 0x7e980000 | 0x7ea7ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ea80000 | 0x7ea80000 | 0x7eaa2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eaa5000 | 0x7eaa5000 | 0x7eaa5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eaab000 | 0x7eaab000 | 0x7eaabfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eaad000 | 0x7eaad000 | 0x7eaaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 178, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0x7d8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0x7f4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #111: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #111 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:51, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:37 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7d8 |
| Parent PID | 0x9b0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6B4
0x
B0C
0x
ABC
0x
B24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x00fcffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x00fbffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fc3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fd1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x00fd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000fe0000 | 0x00fe0000 | 0x00feefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x0102ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001030000 | 0x01030000 | 0x0106ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001070000 | 0x01070000 | 0x01073fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001080000 | 0x01080000 | 0x01080fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001090000 | 0x01090000 | 0x01091fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x010a0000 | 0x0111dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000001120000 | 0x01120000 | 0x01120fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001130000 | 0x01130000 | 0x01130fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001140000 | 0x01140000 | 0x0114ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001150000 | 0x01150000 | 0x012d7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000012e0000 | 0x012e0000 | 0x012effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000012f0000 | 0x012f0000 | 0x013effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000013f0000 | 0x013f0000 | 0x01570fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001580000 | 0x01580000 | 0x0297ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002980000 | 0x02980000 | 0x02ac1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002ad0000 | 0x02ad0000 | 0x02ad0fff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x02ae0000 | 0x02db4fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000002dc0000 | 0x02dc0000 | 0x02dc3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000002dd0000 | 0x02dd0000 | 0x031cbfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000031d0000 | 0x031d0000 | 0x031d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000031e0000 | 0x031e0000 | 0x031e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000031f0000 | 0x031f0000 | 0x0322ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003230000 | 0x03230000 | 0x0326ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003270000 | 0x03270000 | 0x032affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000032b0000 | 0x032b0000 | 0x032effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000032f0000 | 0x032f0000 | 0x0332ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003330000 | 0x03330000 | 0x0336ffff | Private Memory | Readable, Writable |
|
|
|
- |
| wmiutils.dll | 0x73340000 | 0x7335afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fastprox.dll | 0x73370000 | 0x7341afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x73420000 | 0x7342ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x73430000 | 0x73471fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x73480000 | 0x734e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x734f0000 | 0x734fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007ea5a000 | 0x7ea5a000 | 0x7ea5cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ea5d000 | 0x7ea5d000 | 0x7ea5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007ea60000 | 0x7ea60000 | 0x7eb5ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007eb60000 | 0x7eb60000 | 0x7eb82fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eb84000 | 0x7eb84000 | 0x7eb84fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb88000 | 0x7eb88000 | 0x7eb88fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb8a000 | 0x7eb8a000 | 0x7eb8cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb8d000 | 0x7eb8d000 | 0x7eb8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #112: find.exe
0
0
| Information | Value |
|---|---|
| ID | #112 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:51, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:37 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7f4 |
| Parent PID | 0x9b0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e60000 | 0x00e60000 | 0x00e7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e60000 | 0x00e60000 | 0x00e6ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00e73fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00e81fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00e83fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e90000 | 0x00e90000 | 0x00e9efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00edffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00f1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f20000 | 0x00f20000 | 0x00f23fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000f30000 | 0x00f30000 | 0x00f30fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f41fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00f50000 | 0x00fcdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000010f0000 | 0x010f0000 | 0x010fffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000012f0000 | 0x012f0000 | 0x013effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001560000 | 0x01560000 | 0x0156ffff | Private Memory | Readable, Writable |
|
|
|
- |
| fsutilext.dll | 0x73360000 | 0x7336efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ulib.dll | 0x73500000 | 0x73520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f240000 | 0x7f240000 | 0x7f33ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f340000 | 0x7f340000 | 0x7f362fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f363000 | 0x7f363000 | 0x7f363fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f36c000 | 0x7f36c000 | 0x7f36efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f36f000 | 0x7f36f000 | 0x7f36ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #113: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #113 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:52, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:36 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3d4 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AFC
0x
ADC
0x
AEC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00f4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f30000 | 0x00f30000 | 0x00f3ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f43fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x00f51fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f50000 | 0x00f50000 | 0x00f52fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000f60000 | 0x00f60000 | 0x00f6efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00faffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x00feffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ff0000 | 0x00ff0000 | 0x00ff3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001000000 | 0x01000000 | 0x01000fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x01011fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x01020000 | 0x0109dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000010a0000 | 0x010a0000 | 0x0119ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000011a0000 | 0x011a0000 | 0x011dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000011e0000 | 0x011e0000 | 0x011effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000011f0000 | 0x011f0000 | 0x0122ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001230000 | 0x01230000 | 0x01230fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x01240000 | 0x01242fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001250000 | 0x01250000 | 0x0128ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001290000 | 0x01290000 | 0x012cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001310000 | 0x01310000 | 0x0131ffff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7f0affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f0b0000 | 0x7f0b0000 | 0x7f0d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0d3000 | 0x7f0d3000 | 0x7f0d5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0d6000 | 0x7f0d6000 | 0x7f0d6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0d9000 | 0x7f0d9000 | 0x7f0dbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0dc000 | 0x7f0dc000 | 0x7f0dcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0dd000 | 0x7f0dd000 | 0x7f0dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #114: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #114 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:54, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:34 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb54 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B50
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000c30000 | 0x00c30000 | 0x00c4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c30000 | 0x00c30000 | 0x00c3ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00c43fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c51fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c53fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c60000 | 0x00c60000 | 0x00c6efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00caffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00daffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000db0000 | 0x00db0000 | 0x00db3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000dc0000 | 0x00dc0000 | 0x00dc0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00dd1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00de0000 | 0x00e5dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00f5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001100000 | 0x01100000 | 0x0110ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sortdefault.nls | 0x012e0000 | 0x015b4fff | Memory Mapped File | Readable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ee50000 | 0x7ee50000 | 0x7ef4ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ef50000 | 0x7ef50000 | 0x7ef72fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ef79000 | 0x7ef79000 | 0x7ef7bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef7c000 | 0x7ef7c000 | 0x7ef7cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef7e000 | 0x7ef7e000 | 0x7ef7efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0xb5c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0xb78, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #115: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #115 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:54, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:34 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb5c |
| Parent PID | 0xb54 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B48
0x
B6C
0x
B70
0x
B60
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e50000 | 0x00e50000 | 0x00e5ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e63fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00e71fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e80000 | 0x00e80000 | 0x00e8efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00f0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f10000 | 0x00f10000 | 0x00f13fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000f20000 | 0x00f20000 | 0x00f20fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00f31fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00f9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00fa0000 | 0x0101dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001130000 | 0x01130000 | 0x0122ffff | Private Memory | Readable, Writable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e6a0000 | 0x7e6a0000 | 0x7e79ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e7a0000 | 0x7e7a0000 | 0x7e7c2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e7c9000 | 0x7e7c9000 | 0x7e7cbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e7cc000 | 0x7e7cc000 | 0x7e7ccfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e7cf000 | 0x7e7cf000 | 0x7e7cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #116: find.exe
0
0
| Information | Value |
|---|---|
| ID | #116 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:54, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:34 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb78 |
| Parent PID | 0xb54 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B7C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000e10000 | 0x00e10000 | 0x00e2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e31fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e40000 | 0x00e40000 | 0x00e4efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00ecffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ed0000 | 0x00ed0000 | 0x00ed3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ee0000 | 0x00ee0000 | 0x00ee0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00ef1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0101ffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eaa0000 | 0x7eaa0000 | 0x7eac2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eac6000 | 0x7eac6000 | 0x7eac6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eaca000 | 0x7eaca000 | 0x7eacafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eacd000 | 0x7eacd000 | 0x7eacffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #117: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #117 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:54, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:34 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb74 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B68
0x
B64
0x
B58
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000200000 | 0x00200000 | 0x0021ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x0020ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00213fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00221fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00222fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x0023efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002e1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0032ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0033ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00340000 | 0x003bdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00400fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x00410000 | 0x00412fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0045ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0049ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x005dffff | Private Memory | Readable, Writable |
|
|
|
- |
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007e5fd000 | 0x7e5fd000 | 0x7e5fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007e600000 | 0x7e600000 | 0x7e6fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e700000 | 0x7e700000 | 0x7e722fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e725000 | 0x7e725000 | 0x7e725fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e729000 | 0x7e729000 | 0x7e729fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e72a000 | 0x7e72a000 | 0x7e72cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e72d000 | 0x7e72d000 | 0x7e72ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #118: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #118 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:57, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:31 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb8c |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B88
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007f0000 | 0x007f0000 | 0x0080ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x007fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x00803fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x00811fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x00813fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x0082efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0086ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x0096ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000970000 | 0x00970000 | 0x00973fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x00980fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x00991fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x009a0000 | 0x00a1dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00adffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00d0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00e7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00e80000 | 0x01154fff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ea40000 | 0x7ea40000 | 0x7eb3ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007eb40000 | 0x7eb40000 | 0x7eb62fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eb63000 | 0x7eb63000 | 0x7eb63fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb6a000 | 0x7eb6a000 | 0x7eb6afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb6d000 | 0x7eb6d000 | 0x7eb6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0xb84, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0xbc8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #119: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #119 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:57, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:31 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb84 |
| Parent PID | 0xb8c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BC4
0x
BC0
0x
B9C
0x
BA0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x0025ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00263fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00271fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00272fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x0028efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00313fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00320fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00331fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00340000 | 0x003bdfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00400fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00410fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0045ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0049ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x004dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0070ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x00897fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x008effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x00a70fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a80000 | 0x00a80000 | 0x01e7ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001e80000 | 0x01e80000 | 0x01fc1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01fd0000 | 0x022a4fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000022b0000 | 0x022b0000 | 0x026abfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| winsta.dll | 0x73430000 | 0x73471fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x73480000 | 0x734e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x734f0000 | 0x734fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f5c0000 | 0x7f5c0000 | 0x7f6bffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f6c0000 | 0x7f6c0000 | 0x7f6e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f6e4000 | 0x7f6e4000 | 0x7f6e4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f6e9000 | 0x7f6e9000 | 0x7f6ebfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f6ec000 | 0x7f6ec000 | 0x7f6eefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f6ef000 | 0x7f6ef000 | 0x7f6effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #120: find.exe
0
0
| Information | Value |
|---|---|
| ID | #120 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:57, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:31 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbc8 |
| Parent PID | 0xb8c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B98
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007a0000 | 0x007a0000 | 0x007bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007defff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x0081ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0085ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x00863fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x00870fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x00881fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x0092ffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e840000 | 0x7e840000 | 0x7e862fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e868000 | 0x7e868000 | 0x7e868fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e86b000 | 0x7e86b000 | 0x7e86dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e86e000 | 0x7e86e000 | 0x7e86efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #121: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #121 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:57, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:31 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xba4 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B90
0x
B94
0x
BD0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000003c0000 | 0x003c0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003fefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0047ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00483fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00490fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x004b0000 | 0x0052dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0056ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x005affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x005b0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x005c0000 | 0x005c2fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x0060ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0064ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0065ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0084ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f1d0000 | 0x7f1d0000 | 0x7f2cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f2d0000 | 0x7f2d0000 | 0x7f2f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f2f5000 | 0x7f2f5000 | 0x7f2f5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f2f6000 | 0x7f2f6000 | 0x7f2f8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f2f9000 | 0x7f2f9000 | 0x7f2fbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f2fc000 | 0x7f2fc000 | 0x7f2fefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f2ff000 | 0x7f2ff000 | 0x7f2fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #123: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #123 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:59, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:29 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbdc |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BD8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000460000 | 0x00460000 | 0x0047ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x0046ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x00473fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x00481fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x00483fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x0049efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x005dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x005e3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x005f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x00601fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00610000 | 0x0068dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0071ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0084ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0095ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00960000 | 0x00c34fff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ed20000 | 0x7ed20000 | 0x7ee1ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ee20000 | 0x7ee20000 | 0x7ee42fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ee44000 | 0x7ee44000 | 0x7ee44fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee4c000 | 0x7ee4c000 | 0x7ee4efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee4f000 | 0x7ee4f000 | 0x7ee4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 178, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0xbd4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0xb40, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #124: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #124 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:59, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:29 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbd4 |
| Parent PID | 0xbdc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B3C
0x
BE8
0x
8DC
0x
8D8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x00f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f20000 | 0x00f20000 | 0x00f2ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00f33fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f41fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f40000 | 0x00f40000 | 0x00f42fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000f50000 | 0x00f50000 | 0x00f5efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000f60000 | 0x00f60000 | 0x00f9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fdffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000fe0000 | 0x00fe0000 | 0x00fe3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ff0000 | 0x00ff0000 | 0x00ff0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x01001fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x01010000 | 0x0108dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000001090000 | 0x01090000 | 0x01090fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000010a0000 | 0x010a0000 | 0x010a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000010b0000 | 0x010b0000 | 0x010b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000010c0000 | 0x010c0000 | 0x010c3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000010d0000 | 0x010d0000 | 0x010d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000010e0000 | 0x010e0000 | 0x010e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000010f0000 | 0x010f0000 | 0x0112ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001140000 | 0x01140000 | 0x0114ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001150000 | 0x01150000 | 0x01291fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000012b0000 | 0x012b0000 | 0x013affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000013b0000 | 0x013b0000 | 0x01537fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001560000 | 0x01560000 | 0x0156ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001570000 | 0x01570000 | 0x016f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001700000 | 0x01700000 | 0x02afffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02b00000 | 0x02dd4fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002de0000 | 0x02de0000 | 0x031dbfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000031e0000 | 0x031e0000 | 0x0321ffff | Private Memory | Readable, Writable |
|
|
|
- |
| winsta.dll | 0x73430000 | 0x73471fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x73480000 | 0x734e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x734f0000 | 0x734fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e930000 | 0x7e930000 | 0x7ea2ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ea30000 | 0x7ea30000 | 0x7ea52fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ea57000 | 0x7ea57000 | 0x7ea57fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ea59000 | 0x7ea59000 | 0x7ea59fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ea5a000 | 0x7ea5a000 | 0x7ea5cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ea5d000 | 0x7ea5d000 | 0x7ea5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #125: find.exe
0
0
| Information | Value |
|---|---|
| ID | #125 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:01:59, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:29 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb40 |
| Parent PID | 0xbdc (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
974
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a40000 | 0x00a40000 | 0x00a5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a61fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00a7efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00abffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00afffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b00000 | 0x00b00000 | 0x00b03fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000b10000 | 0x00b10000 | 0x00b10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b21fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00cbffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f300000 | 0x7f300000 | 0x7f322fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f323000 | 0x7f323000 | 0x7f323fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f32b000 | 0x7f32b000 | 0x7f32dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f32e000 | 0x7f32e000 | 0x7f32efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #126: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #126 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:00, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:28 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x820 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BE0
0x
BE4
0x
920
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000730000 | 0x00730000 | 0x0074ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x0073ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x00743fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x00751fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x00752fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x0076efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x007affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x007f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x00800fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x00811fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0085ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x00860fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x00870000 | 0x00872fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x0089ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x008a0000 | 0x0091dfff | Memory Mapped File | Readable |
|
|
|
- |
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0098ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x009cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x00a0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00ceffff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e060000 | 0x7e060000 | 0x7e15ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e160000 | 0x7e160000 | 0x7e182fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e183000 | 0x7e183000 | 0x7e185fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e186000 | 0x7e186000 | 0x7e186fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e189000 | 0x7e189000 | 0x7e18bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e18c000 | 0x7e18c000 | 0x7e18efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e18f000 | 0x7e18f000 | 0x7e18ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #127: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #127 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:02, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:26 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x788 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6BC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000310000 | 0x00310000 | 0x0032ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x0031ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x00323fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00331fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00333fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x0034efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0038ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0048ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00493fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x004a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0050ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00510000 | 0x0058dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0075ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00760000 | 0x00a34fff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ef10000 | 0x7ef10000 | 0x7f00ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f010000 | 0x7f010000 | 0x7f032fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f037000 | 0x7f037000 | 0x7f037fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f03c000 | 0x7f03c000 | 0x7f03cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f03d000 | 0x7f03d000 | 0x7f03ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0x470, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0x7b0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #128: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #128 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:02, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:26 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x470 |
| Parent PID | 0x788 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
3DC
0x
6B8
0x
BFC
0x
B44
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0072ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x0071ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x00723fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x00731fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x00732fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x0074efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x0078ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x007cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007d3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x007e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007f1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00800000 | 0x0087dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x00880fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x00890fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008c3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x008d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x008e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x0092ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x0096ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x009affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x009dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000009e0000 | 0x009e0000 | 0x00b67fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00baffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00caffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000cb0000 | 0x00cb0000 | 0x00e30fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000e40000 | 0x00e40000 | 0x0223ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002240000 | 0x02240000 | 0x02381fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02390000 | 0x02664fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002670000 | 0x02670000 | 0x02a6bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002a70000 | 0x02a70000 | 0x02aaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002ab0000 | 0x02ab0000 | 0x02aeffff | Private Memory | Readable, Writable |
|
|
|
- |
| fastprox.dll | 0x73360000 | 0x7340afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x73420000 | 0x7342ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x73430000 | 0x73471fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x73480000 | 0x734e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x734f0000 | 0x734fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007ee6d000 | 0x7ee6d000 | 0x7ee6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007ee70000 | 0x7ee70000 | 0x7ef6ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ef70000 | 0x7ef70000 | 0x7ef92fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ef94000 | 0x7ef94000 | 0x7ef96fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef97000 | 0x7ef97000 | 0x7ef99fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef9a000 | 0x7ef9a000 | 0x7ef9cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef9d000 | 0x7ef9d000 | 0x7ef9dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef9f000 | 0x7ef9f000 | 0x7ef9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #129: find.exe
0
0
| Information | Value |
|---|---|
| ID | #129 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:02, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:26 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7b0 |
| Parent PID | 0x788 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6A8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000730000 | 0x00730000 | 0x0074ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x0073ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x00743fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x00751fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x00753fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x0076efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x007affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x007f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x00800fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x00811fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00820000 | 0x0089dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x008effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00bcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00dbffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fsutilext.dll | 0x73410000 | 0x7341efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ulib.dll | 0x73500000 | 0x73520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f800000 | 0x7f800000 | 0x7f8fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f900000 | 0x7f900000 | 0x7f922fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f924000 | 0x7f924000 | 0x7f924fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f926000 | 0x7f926000 | 0x7f926fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f92d000 | 0x7f92d000 | 0x7f92ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #130: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #130 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:02, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:26 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x118 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
498
0x
728
0x
BF4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b40000 | 0x00b40000 | 0x00b4ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b53fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b61fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x00b62fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x00b7efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00bbffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c00000 | 0x00c00000 | 0x00c03fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000c10000 | 0x00c10000 | 0x00c10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c21fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00c30000 | 0x00cadfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00ceffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000cf0000 | 0x00cf0000 | 0x00d2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d30000 | 0x00d30000 | 0x00d30fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x00d40000 | 0x00d42fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00e0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e70000 | 0x00e70000 | 0x00f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001080000 | 0x01080000 | 0x0108ffff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eb10000 | 0x7eb10000 | 0x7ec0ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ec10000 | 0x7ec10000 | 0x7ec32fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ec33000 | 0x7ec33000 | 0x7ec35fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec36000 | 0x7ec36000 | 0x7ec36fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec37000 | 0x7ec37000 | 0x7ec37fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec3a000 | 0x7ec3a000 | 0x7ec3cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec3d000 | 0x7ec3d000 | 0x7ec3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #131: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #131 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:24 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x810 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9A4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000c80000 | 0x00c80000 | 0x00c9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c80000 | 0x00c80000 | 0x00c8ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00c93fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00ca1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00ca3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000cb0000 | 0x00cb0000 | 0x00cbefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000cc0000 | 0x00cc0000 | 0x00cfffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d00000 | 0x00d00000 | 0x00dfffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e00000 | 0x00e00000 | 0x00e03fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000e10000 | 0x00e10000 | 0x00e10fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e21fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00e30000 | 0x00eadfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x00f1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x0100ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x0113ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sortdefault.nls | 0x012e0000 | 0x015b4fff | Memory Mapped File | Readable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e730000 | 0x7e730000 | 0x7e82ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e830000 | 0x7e830000 | 0x7e852fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e859000 | 0x7e859000 | 0x7e85bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e85c000 | 0x7e85c000 | 0x7e85cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e85d000 | 0x7e85d000 | 0x7e85dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0x5f8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0x5e4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #132: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #132 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:24 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5f8 |
| Parent PID | 0x810 (c:\windows\syswow64\attrib.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
6B0
0x
828
0x
9E8
0x
9F8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fbffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000fa0000 | 0x00fa0000 | 0x00faffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x00fb3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fc1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000fc0000 | 0x00fc0000 | 0x00fc2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000fd0000 | 0x00fd0000 | 0x00fdefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x0101ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x0105ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001060000 | 0x01060000 | 0x01063fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001070000 | 0x01070000 | 0x01070fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001080000 | 0x01080000 | 0x01081fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x01090000 | 0x0110dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000001110000 | 0x01110000 | 0x01110fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001120000 | 0x01120000 | 0x01120fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001130000 | 0x01130000 | 0x01130fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001140000 | 0x01140000 | 0x01143fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001150000 | 0x01150000 | 0x01150fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001160000 | 0x01160000 | 0x01160fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001170000 | 0x01170000 | 0x011affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000011b0000 | 0x011b0000 | 0x011effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001210000 | 0x01210000 | 0x0121ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001220000 | 0x01220000 | 0x01361fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001390000 | 0x01390000 | 0x0139ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000013a0000 | 0x013a0000 | 0x013dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001400000 | 0x01400000 | 0x014fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001500000 | 0x01500000 | 0x01687fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001690000 | 0x01690000 | 0x01810fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001820000 | 0x01820000 | 0x02c1ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02c20000 | 0x02ef4fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002f00000 | 0x02f00000 | 0x032fbfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000003300000 | 0x03300000 | 0x0333ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003340000 | 0x03340000 | 0x0337ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003380000 | 0x03380000 | 0x033bffff | Private Memory | Readable, Writable |
|
|
|
- |
| fastprox.dll | 0x73370000 | 0x7341afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x73420000 | 0x7342ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x73430000 | 0x73471fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x73480000 | 0x734e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x734f0000 | 0x734fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007e28d000 | 0x7e28d000 | 0x7e28ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007e290000 | 0x7e290000 | 0x7e38ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e390000 | 0x7e390000 | 0x7e3b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e3b5000 | 0x7e3b5000 | 0x7e3b7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e3b8000 | 0x7e3b8000 | 0x7e3bafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e3bb000 | 0x7e3bb000 | 0x7e3bdfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e3be000 | 0x7e3be000 | 0x7e3befff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e3bf000 | 0x7e3bf000 | 0x7e3bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #133: find.exe
0
0
| Information | Value |
|---|---|
| ID | #133 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:24 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5e4 |
| Parent PID | 0x810 (c:\windows\syswow64\attrib.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
770
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000750000 | 0x00750000 | 0x0076ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x0075ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x00763fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x00771fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x00773fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x0078efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x007cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x0080ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00813fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x00820fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x00831fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00840000 | 0x008bdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x00abffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00bfffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fsutilext.dll | 0x73360000 | 0x7336efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ulib.dll | 0x73500000 | 0x73520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eba0000 | 0x7eba0000 | 0x7ec9ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007eca0000 | 0x7eca0000 | 0x7ecc2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ecc5000 | 0x7ecc5000 | 0x7ecc5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ecca000 | 0x7ecca000 | 0x7eccafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eccd000 | 0x7eccd000 | 0x7eccffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #134: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #134 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:05, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:23 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa48 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BEC
0x
A58
0x
A08
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000540000 | 0x00540000 | 0x0055ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x0054ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x00553fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x00561fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x00562fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x0057efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x005bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00603fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00610fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x00621fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00630000 | 0x006adfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x0073ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0074ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x00750fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x00760000 | 0x00762fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x0089ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x0091ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f380000 | 0x7f380000 | 0x7f47ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f480000 | 0x7f480000 | 0x7f4a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f4a5000 | 0x7f4a5000 | 0x7f4a7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4a8000 | 0x7f4a8000 | 0x7f4aafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4ab000 | 0x7f4ab000 | 0x7f4adfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4ae000 | 0x7f4ae000 | 0x7f4aefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4af000 | 0x7f4af000 | 0x7f4affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #135: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #135 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:21 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x74c |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
508
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000380000 | 0x00380000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x0038ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00393fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003befff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x004fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00503fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00510fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x00521fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00530000 | 0x005adfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0072ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0082ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00830000 | 0x00b04fff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ed50000 | 0x7ed50000 | 0x7ee4ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ee50000 | 0x7ee50000 | 0x7ee72fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ee7b000 | 0x7ee7b000 | 0x7ee7dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee7e000 | 0x7ee7e000 | 0x7ee7efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee7f000 | 0x7ee7f000 | 0x7ee7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 178, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0x784, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0x688, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #136: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #136 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:21 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x784 |
| Parent PID | 0x74c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2E4
0x
9B4
0x
4CC
0x
940
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0057ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x0056ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x00573fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x00581fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00582fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x0059efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x0061ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x00623fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x00630fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x00641fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00650000 | 0x006cdfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x006d0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006f0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x00703fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x00710fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0072ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x00871fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x00880fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x0089ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x009affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x00b37fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000b40000 | 0x00b40000 | 0x00cc0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000cd0000 | 0x00cd0000 | 0x020cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x020d0000 | 0x023a4fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000023b0000 | 0x023b0000 | 0x027abfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000027b0000 | 0x027b0000 | 0x027effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000027f0000 | 0x027f0000 | 0x0282ffff | Private Memory | Readable, Writable |
|
|
|
- |
| winsta.dll | 0x73430000 | 0x73471fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x73480000 | 0x734e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x734f0000 | 0x734fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ecc0000 | 0x7ecc0000 | 0x7edbffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007edc0000 | 0x7edc0000 | 0x7ede2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ede8000 | 0x7ede8000 | 0x7edeafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edeb000 | 0x7edeb000 | 0x7ededfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edee000 | 0x7edee000 | 0x7edeefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007edef000 | 0x7edef000 | 0x7edeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #137: find.exe
0
0
| Information | Value |
|---|---|
| ID | #137 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:21 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x688 |
| Parent PID | 0x74c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
658
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005f0000 | 0x005f0000 | 0x0060ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x00611fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x0062efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0066ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x006affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x006b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x006c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006d1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x0077ffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ea90000 | 0x7ea90000 | 0x7eab2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eab7000 | 0x7eab7000 | 0x7eab7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eabc000 | 0x7eabc000 | 0x7eabefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eabf000 | 0x7eabf000 | 0x7eabffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #138: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #138 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:08, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:20 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9c0 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2FC
0x
65C
0x
3C8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000000a0000 | 0x000a0000 | 0x000bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000affff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000b3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000defff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x0011ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0015ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00163fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00181fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00190000 | 0x0020dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0028ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00290fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x002a0000 | 0x002a2fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0035ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0054ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0069ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007f6dd000 | 0x7f6dd000 | 0x7f6dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007f6e0000 | 0x7f6e0000 | 0x7f7dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f7e0000 | 0x7f7e0000 | 0x7f802fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f806000 | 0x7f806000 | 0x7f806fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f808000 | 0x7f808000 | 0x7f80afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f80b000 | 0x7f80b000 | 0x7f80bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f80d000 | 0x7f80d000 | 0x7f80ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #139: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #139 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:18 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x518 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
454
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a70000 | 0x00a70000 | 0x00a8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00a7ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a83fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a91fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a93fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x00aaefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00aeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00beffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000bf0000 | 0x00bf0000 | 0x00bf3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000c00000 | 0x00c00000 | 0x00c00fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c11fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00c20000 | 0x00c9dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00ceffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00d4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00ebffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00ec0000 | 0x01194fff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f790000 | 0x7f790000 | 0x7f88ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f890000 | 0x7f890000 | 0x7f8b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f8ba000 | 0x7f8ba000 | 0x7f8bafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f8bc000 | 0x7f8bc000 | 0x7f8befff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f8bf000 | 0x7f8bf000 | 0x7f8bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 178, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0x3ec, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0x3d8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #140: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #140 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:18 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3ec |
| Parent PID | 0x518 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
40C
0x
464
0x
8C8
0x
6C4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00dbffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000da0000 | 0x00da0000 | 0x00daffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00db3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dc1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000dc0000 | 0x00dc0000 | 0x00dc2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000dd0000 | 0x00dd0000 | 0x00ddefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00e1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e60000 | 0x00e60000 | 0x00e63fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000e70000 | 0x00e70000 | 0x00e70fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00e81fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00e90000 | 0x00f0dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000f10000 | 0x00f10000 | 0x00f10fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f20000 | 0x00f20000 | 0x00f20fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00f30fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f40000 | 0x00f40000 | 0x00f43fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f50000 | 0x00f50000 | 0x00f50fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000f60000 | 0x00f60000 | 0x00f60fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000f70000 | 0x00f70000 | 0x00faffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x0100ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0110ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001110000 | 0x01110000 | 0x01297fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000012b0000 | 0x012b0000 | 0x012bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000012c0000 | 0x012c0000 | 0x01440fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001450000 | 0x01450000 | 0x0284ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002850000 | 0x02850000 | 0x02991fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x029a0000 | 0x02c74fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002c80000 | 0x02c80000 | 0x0307bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000003080000 | 0x03080000 | 0x030bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000030c0000 | 0x030c0000 | 0x030fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003100000 | 0x03100000 | 0x0313ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000003140000 | 0x03140000 | 0x0317ffff | Private Memory | Readable, Writable |
|
|
|
- |
| fastprox.dll | 0x73360000 | 0x7340afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x73410000 | 0x7341ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x73460000 | 0x734a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x734b0000 | 0x73510fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x73520000 | 0x7352bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007e35d000 | 0x7e35d000 | 0x7e35ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007e360000 | 0x7e360000 | 0x7e45ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e460000 | 0x7e460000 | 0x7e482fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e485000 | 0x7e485000 | 0x7e487fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e488000 | 0x7e488000 | 0x7e48afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e48b000 | 0x7e48b000 | 0x7e48bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e48c000 | 0x7e48c000 | 0x7e48efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e48f000 | 0x7e48f000 | 0x7e48ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #141: find.exe
0
0
| Information | Value |
|---|---|
| ID | #141 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:18 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3d8 |
| Parent PID | 0x518 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
308
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000b00000 | 0x00b00000 | 0x00b1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b00000 | 0x00b00000 | 0x00b0ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b21fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b23fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x00b3efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00bbffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000bc0000 | 0x00bc0000 | 0x00bc3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000bd0000 | 0x00bd0000 | 0x00bd0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00be1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00bf3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00c5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00c60000 | 0x00cddfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00e5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fsutilext.dll | 0x73420000 | 0x7342efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ulib.dll | 0x73430000 | 0x73450fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ea30000 | 0x7ea30000 | 0x7eb2ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007eb30000 | 0x7eb30000 | 0x7eb52fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eb59000 | 0x7eb59000 | 0x7eb59fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb5c000 | 0x7eb5c000 | 0x7eb5efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb5f000 | 0x7eb5f000 | 0x7eb5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #142: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #142 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:18 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x22c |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
988
0x
2A4
0x
664
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000005d0000 | 0x005d0000 | 0x005effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005e3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005f1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x005f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x0060efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0064ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0068ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00693fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x006a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x006c0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x006d0000 | 0x006d2fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006effff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x006f0000 | 0x0076dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x007affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0092ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0098ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x009cffff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ec10000 | 0x7ec10000 | 0x7ed0ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ed10000 | 0x7ed10000 | 0x7ed32fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ed35000 | 0x7ed35000 | 0x7ed37fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed38000 | 0x7ed38000 | 0x7ed3afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed3b000 | 0x7ed3b000 | 0x7ed3bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed3c000 | 0x7ed3c000 | 0x7ed3efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed3f000 | 0x7ed3f000 | 0x7ed3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #143: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #143 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:12, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:16 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5e8 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BB0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000810000 | 0x00810000 | 0x0082ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x0081ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x00823fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x00831fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x00833fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x0084efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0088ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x0098ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000990000 | 0x00990000 | 0x00993fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x009a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x009b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x009c0000 | 0x00a3dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00a9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c40000 | 0x00c40000 | 0x00d3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00d40000 | 0x01014fff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e9e0000 | 0x7e9e0000 | 0x7eadffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007eae0000 | 0x7eae0000 | 0x7eb02fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eb0a000 | 0x7eb0a000 | 0x7eb0cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb0d000 | 0x7eb0d000 | 0x7eb0dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb0f000 | 0x7eb0f000 | 0x7eb0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 204, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0xbac, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0xbbc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #144: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #144 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:12, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:16 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbac |
| Parent PID | 0x5e8 (c:\windows\syswow64\ping.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
444
0x
8E4
0x
898
0x
884
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x0028ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00293fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002befff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0033ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00343fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00350fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x00361fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00370000 | 0x003edfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x00400fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x00410fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x00423fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00430fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x00440fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0048ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x004cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x004dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x0051ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0055ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0067ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00807fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0084ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0085ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x009e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x01deffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001df0000 | 0x01df0000 | 0x01f31fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01f40000 | 0x02214fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002220000 | 0x02220000 | 0x0261bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002620000 | 0x02620000 | 0x0265ffff | Private Memory | Readable, Writable |
|
|
|
- |
| fastprox.dll | 0x73370000 | 0x7341afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x73420000 | 0x7342ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x73430000 | 0x73471fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x73480000 | 0x734e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x734f0000 | 0x734fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007e6fd000 | 0x7e6fd000 | 0x7e6fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007e700000 | 0x7e700000 | 0x7e7fffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e800000 | 0x7e800000 | 0x7e822fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e824000 | 0x7e824000 | 0x7e824fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e826000 | 0x7e826000 | 0x7e826fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e827000 | 0x7e827000 | 0x7e829fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e82a000 | 0x7e82a000 | 0x7e82cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e82d000 | 0x7e82d000 | 0x7e82ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #145: find.exe
0
0
| Information | Value |
|---|---|
| ID | #145 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:12, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:16 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbbc |
| Parent PID | 0x5e8 (c:\windows\syswow64\ping.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
81C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000002f0000 | 0x002f0000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x002fffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00303fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00311fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00313fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x0032efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0036ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x003affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x003e0000 | 0x0045dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x006effff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fsutilext.dll | 0x73360000 | 0x7336efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ulib.dll | 0x73500000 | 0x73520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007fc50000 | 0x7fc50000 | 0x7fd4ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007fd50000 | 0x7fd50000 | 0x7fd72fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007fd78000 | 0x7fd78000 | 0x7fd78fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fd7a000 | 0x7fd7a000 | 0x7fd7cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fd7d000 | 0x7fd7d000 | 0x7fd7dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #146: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #146 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:13, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:15 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8e8 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BCC
0x
BB8
0x
BA8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000460000 | 0x00460000 | 0x0047ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x0046ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x00473fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x00481fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00482fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x0049efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x0051ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x00523fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x00530fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x00541fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00550000 | 0x005cdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x0060ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0064ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x00650fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x00660000 | 0x00662fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x006affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x0072ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0091ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00adffff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007ea3d000 | 0x7ea3d000 | 0x7ea3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007ea40000 | 0x7ea40000 | 0x7eb3ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007eb40000 | 0x7eb40000 | 0x7eb62fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eb65000 | 0x7eb65000 | 0x7eb65fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb68000 | 0x7eb68000 | 0x7eb68fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb6a000 | 0x7eb6a000 | 0x7eb6cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb6d000 | 0x7eb6d000 | 0x7eb6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #147: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #147 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:15, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:13 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbb4 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BF8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000a00000 | 0x00a00000 | 0x00a1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00a0ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a13fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a21fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a23fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a30000 | 0x00a30000 | 0x00a3efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a80000 | 0x00a80000 | 0x00b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x00b83fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000b90000 | 0x00b90000 | 0x00b90fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00ba1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00bb0000 | 0x00c2dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000c70000 | 0x00c70000 | 0x00c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00e2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00f9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00fa0000 | 0x01274fff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f3a0000 | 0x7f3a0000 | 0x7f49ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f4a0000 | 0x7f4a0000 | 0x7f4c2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f4c6000 | 0x7f4c6000 | 0x7f4c6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4cc000 | 0x7f4cc000 | 0x7f4ccfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f4cd000 | 0x7f4cd000 | 0x7f4cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 60, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0x9e0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0x840, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #148: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #148 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:15, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:13 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9e0 |
| Parent PID | 0xbb4 (c:\windows\syswow64\ping.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
93C
0x
9E4
0x
4F0
0x
938
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x009fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000009e0000 | 0x009e0000 | 0x009effff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x009f3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a01fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00a02fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a1efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x00aa3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x00ab0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00ac1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00adffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00ae0000 | 0x00b5dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000b60000 | 0x00b60000 | 0x00b60fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b80fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00b90fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00ba3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x00bb0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000bc0000 | 0x00bc0000 | 0x00bc0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00c0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00d4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d50000 | 0x00d50000 | 0x00ed7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ee0000 | 0x00ee0000 | 0x01060fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001070000 | 0x01070000 | 0x0246ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002470000 | 0x02470000 | 0x025b1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x025c0000 | 0x02894fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000028a0000 | 0x028a0000 | 0x02c9bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| winsta.dll | 0x73430000 | 0x73471fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x73480000 | 0x734e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x734f0000 | 0x734fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f730000 | 0x7f730000 | 0x7f82ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f830000 | 0x7f830000 | 0x7f852fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f856000 | 0x7f856000 | 0x7f858fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f859000 | 0x7f859000 | 0x7f859fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f85a000 | 0x7f85a000 | 0x7f85cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f85d000 | 0x7f85d000 | 0x7f85dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #149: find.exe
0
0
| Information | Value |
|---|---|
| ID | #149 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:15, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:13 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x840 |
| Parent PID | 0xbb4 (c:\windows\syswow64\ping.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
928
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000720000 | 0x00720000 | 0x0073ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x00741fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x0075efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0079ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x007e3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x007f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x00801fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x0090ffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eb40000 | 0x7eb40000 | 0x7eb62fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007eb69000 | 0x7eb69000 | 0x7eb6bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb6c000 | 0x7eb6c000 | 0x7eb6cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007eb6d000 | 0x7eb6d000 | 0x7eb6dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #150: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #150 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:15, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:13 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x934 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
92C
0x
948
0x
8B8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x00000000007e0000 | 0x007e0000 | 0x007fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x007effff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007f3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x00801fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x00802fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x0081efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0085ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0089ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x008a3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x008b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008c1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x0090ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x00910fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x00920000 | 0x00922fff | Memory Mapped File | Readable |
|
|
|
- |
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| locale.nls | 0x00950000 | 0x009cdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x009dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x00a1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00a9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00bdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00daffff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007eb3d000 | 0x7eb3d000 | 0x7eb3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007eb40000 | 0x7eb40000 | 0x7ec3ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ec40000 | 0x7ec40000 | 0x7ec62fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ec64000 | 0x7ec64000 | 0x7ec66fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec67000 | 0x7ec67000 | 0x7ec69fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec6a000 | 0x7ec6a000 | 0x7ec6afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ec6e000 | 0x7ec6e000 | 0x7ec6efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #151: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #151 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:18, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x944 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8BC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000910000 | 0x00910000 | 0x0092ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x0091ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000920000 | 0x00920000 | 0x00923fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00931fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x00933fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x0094efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0098ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x00a8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a90000 | 0x00a90000 | 0x00a93fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x00aa0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00ab1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00b10000 | 0x00b8dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00ccffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00e9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00ea0000 | 0x01174fff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f0d0000 | 0x7f0d0000 | 0x7f1cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f1d0000 | 0x7f1d0000 | 0x7f1f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f1f3000 | 0x7f1f3000 | 0x7f1f3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f1fc000 | 0x7f1fc000 | 0x7f1fefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f1ff000 | 0x7f1ff000 | 0x7f1fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 108, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0x924, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0x930, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #152: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #152 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:18, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:10 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x924 |
| Parent PID | 0x944 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8C0
0x
8EC
0x
918
0x
904
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0064ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x0063ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x00643fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x00651fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x0066efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x006affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x006f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00700fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x00711fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00720000 | 0x0079dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x007dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x008dffff | Private Memory | Readable, Writable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007fba0000 | 0x7fba0000 | 0x7fc9ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007fca0000 | 0x7fca0000 | 0x7fcc2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007fcc6000 | 0x7fcc6000 | 0x7fcc6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fccc000 | 0x7fccc000 | 0x7fccefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007fccf000 | 0x7fccf000 | 0x7fccffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #153: find.exe
0
0
| Information | Value |
|---|---|
| ID | #153 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:18, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:10 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x930 |
| Parent PID | 0x944 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8A8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000180000 | 0x00180000 | 0x0019ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001befff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x0023ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00243fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00250fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00261fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f450000 | 0x7f450000 | 0x7f472fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f47b000 | 0x7f47b000 | 0x7f47dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f47e000 | 0x7f47e000 | 0x7f47efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f47f000 | 0x7f47f000 | 0x7f47ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #154: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #154 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:18, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8fc |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8AC
0x
900
0x
910
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000280000 | 0x00280000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x0028ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00293fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002befff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0033ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00343fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00350fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x00361fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00370000 | 0x003edfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x0042ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0046ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x00470fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x00480000 | 0x00482fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x0089ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e6b0000 | 0x7e6b0000 | 0x7e7affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e7b0000 | 0x7e7b0000 | 0x7e7d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e7d3000 | 0x7e7d3000 | 0x7e7d5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e7d6000 | 0x7e7d6000 | 0x7e7d8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e7d9000 | 0x7e7d9000 | 0x7e7d9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e7dc000 | 0x7e7dc000 | 0x7e7defff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e7df000 | 0x7e7df000 | 0x7e7dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #155: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #155 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:20, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x90c |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8E0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000490000 | 0x00490000 | 0x004affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x0049ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004a3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004b3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x004cefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x0050ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0060ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00613fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x00620fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x00631fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00640000 | 0x006bdfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0071ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x0087ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000930000 | 0x00930000 | 0x0093ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00940000 | 0x00c14fff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f0b0000 | 0x7f0b0000 | 0x7f1affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f1b0000 | 0x7f1b0000 | 0x7f1d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f1d9000 | 0x7f1d9000 | 0x7f1dbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f1dc000 | 0x7f1dc000 | 0x7f1dcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f1dd000 | 0x7f1dd000 | 0x7f1ddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0x8f8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0x960, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #156: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #156 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:20, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:08 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8f8 |
| Parent PID | 0x90c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8F0
0x
710
0x
970
0x
1E0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000060000 | 0x00060000 | 0x0007ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x0006ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00073fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00081fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00082fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x0009efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x0013ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00143fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00150fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00161fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002dffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x002e0000 | 0x0035dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x00547fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x006d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x01adffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001ae0000 | 0x01ae0000 | 0x01c21fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x01c30000 | 0x01f04fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000001f10000 | 0x01f10000 | 0x0230bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002310000 | 0x02310000 | 0x0234ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002350000 | 0x02350000 | 0x0238ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002390000 | 0x02390000 | 0x023cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000023d0000 | 0x023d0000 | 0x0240ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002410000 | 0x02410000 | 0x0244ffff | Private Memory | Readable, Writable |
|
|
|
- |
| fastprox.dll | 0x73360000 | 0x7340afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x73410000 | 0x7341ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x73460000 | 0x734a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x734b0000 | 0x73510fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x73520000 | 0x7352bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007e43d000 | 0x7e43d000 | 0x7e43ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007e440000 | 0x7e440000 | 0x7e53ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e540000 | 0x7e540000 | 0x7e562fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e564000 | 0x7e564000 | 0x7e566fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e567000 | 0x7e567000 | 0x7e569fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e56a000 | 0x7e56a000 | 0x7e56afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e56c000 | 0x7e56c000 | 0x7e56efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e56f000 | 0x7e56f000 | 0x7e56ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #157: find.exe
0
0
| Information | Value |
|---|---|
| ID | #157 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:20, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:08 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x960 |
| Parent PID | 0x90c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
2B8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00bcffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x00bbffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00bc3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00bd1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00bdffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000be0000 | 0x00be0000 | 0x00beefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000bf0000 | 0x00bf0000 | 0x00c2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00c6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c70000 | 0x00c70000 | 0x00c73fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000c80000 | 0x00c80000 | 0x00c80fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00c91fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00ca0000 | 0x00d1dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d23fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00daffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00f1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fsutilext.dll | 0x73420000 | 0x7342efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ulib.dll | 0x73430000 | 0x73450fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e950000 | 0x7e950000 | 0x7ea4ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ea50000 | 0x7ea50000 | 0x7ea72fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ea7b000 | 0x7ea7b000 | 0x7ea7dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ea7e000 | 0x7ea7e000 | 0x7ea7efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ea7f000 | 0x7ea7f000 | 0x7ea7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #158: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #158 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:21, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x844 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
848
0x
888
0x
278
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00dbffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000da0000 | 0x00da0000 | 0x00daffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00db3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dc1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000dc0000 | 0x00dc0000 | 0x00dc2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000dd0000 | 0x00dd0000 | 0x00ddefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000de0000 | 0x00de0000 | 0x00e1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000e60000 | 0x00e60000 | 0x00e63fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000e70000 | 0x00e70000 | 0x00e70fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00e81fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00f8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f90000 | 0x00f90000 | 0x00f90fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x00fa0000 | 0x00fa2fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00fcffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00fd0000 | 0x0104dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001050000 | 0x01050000 | 0x0108ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001090000 | 0x01090000 | 0x010cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001120000 | 0x01120000 | 0x0112ffff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f5b0000 | 0x7f5b0000 | 0x7f6affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f6b0000 | 0x7f6b0000 | 0x7f6d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f6d6000 | 0x7f6d6000 | 0x7f6d8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f6d9000 | 0x7f6d9000 | 0x7f6d9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f6da000 | 0x7f6da000 | 0x7f6dcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f6dd000 | 0x7f6dd000 | 0x7f6ddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #159: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #159 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:23, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x860 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A28
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000470000 | 0x00470000 | 0x0048ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x0047ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x00483fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x00491fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x00493fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x004aefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x005effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x005f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00600fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x00611fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00620000 | 0x0069dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x0070ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0080ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000900000 | 0x00900000 | 0x0090ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00910000 | 0x00be4fff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f490000 | 0x7f490000 | 0x7f58ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f590000 | 0x7f590000 | 0x7f5b2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f5b5000 | 0x7f5b5000 | 0x7f5b5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f5bc000 | 0x7f5bc000 | 0x7f5befff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f5bf000 | 0x7f5bf000 | 0x7f5bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0xa38, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0x7bc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #160: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #160 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:23, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:05 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa38 |
| Parent PID | 0x860 (c:\windows\syswow64\ping.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
880
0x
A18
0x
878
0x
644
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005e3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005f1fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x005f2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x0060efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0064ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0068ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00693fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x006a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006b1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x006c0000 | 0x0073dfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x00740fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x00750fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x00760fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x00773fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00780fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x00790fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x0081ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0082ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0086ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x008affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x0092ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x00a6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00bf7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000c10000 | 0x00c10000 | 0x00c1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000c20000 | 0x00c20000 | 0x00da0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000db0000 | 0x00db0000 | 0x021affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000021b0000 | 0x021b0000 | 0x022f1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02300000 | 0x025d4fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000025e0000 | 0x025e0000 | 0x029dbfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| fastprox.dll | 0x73370000 | 0x7341afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x73420000 | 0x7342ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x73430000 | 0x73471fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x73480000 | 0x734e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x734f0000 | 0x734fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007e71d000 | 0x7e71d000 | 0x7e71ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007e720000 | 0x7e720000 | 0x7e81ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e820000 | 0x7e820000 | 0x7e842fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e845000 | 0x7e845000 | 0x7e847fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e848000 | 0x7e848000 | 0x7e84afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e84b000 | 0x7e84b000 | 0x7e84dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e84e000 | 0x7e84e000 | 0x7e84efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e84f000 | 0x7e84f000 | 0x7e84ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #161: find.exe
0
0
| Information | Value |
|---|---|
| ID | #161 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:23, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:05 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7bc |
| Parent PID | 0x860 (c:\windows\syswow64\ping.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
870
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000f80000 | 0x00f80000 | 0x00f9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f80000 | 0x00f80000 | 0x00f8ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f90000 | 0x00f90000 | 0x00f93fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fa1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00faffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000fb0000 | 0x00fb0000 | 0x00fbefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x00ffffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001000000 | 0x01000000 | 0x0103ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001040000 | 0x01040000 | 0x01043fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001050000 | 0x01050000 | 0x01050fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001060000 | 0x01060000 | 0x01061fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x01070000 | 0x010edfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000010f0000 | 0x010f0000 | 0x010f3fff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001270000 | 0x01270000 | 0x0136ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001370000 | 0x01370000 | 0x0137ffff | Private Memory | Readable, Writable |
|
|
|
- |
| fsutilext.dll | 0x73360000 | 0x7336efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ulib.dll | 0x73500000 | 0x73520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007eac0000 | 0x7eac0000 | 0x7ebbffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ebc0000 | 0x7ebc0000 | 0x7ebe2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ebe4000 | 0x7ebe4000 | 0x7ebe4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ebe7000 | 0x7ebe7000 | 0x7ebe7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ebed000 | 0x7ebed000 | 0x7ebeffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #162: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #162 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:23, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x648 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4D8
0x
9DC
0x
408
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000430000 | 0x00430000 | 0x0044ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x0043ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x00443fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x00451fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00452fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x0046efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x004affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x004f3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00500fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x00511fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00520000 | 0x0059dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x0061ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x00620fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x00630000 | 0x00632fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0066ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x006affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006fffff | Private Memory | Readable, Writable |
|
|
|
- |
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00baffff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e150000 | 0x7e150000 | 0x7e24ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e250000 | 0x7e250000 | 0x7e272fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e274000 | 0x7e274000 | 0x7e274fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e275000 | 0x7e275000 | 0x7e277fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e278000 | 0x7e278000 | 0x7e27afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e27b000 | 0x7e27b000 | 0x7e27bfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e27d000 | 0x7e27d000 | 0x7e27ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #163: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #163 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4c8 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
8A0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000d90000 | 0x00d90000 | 0x00daffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000d90000 | 0x00d90000 | 0x00d9ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00da3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00db1fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00db3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000dc0000 | 0x00dc0000 | 0x00dcefff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00e0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00f0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000f10000 | 0x00f10000 | 0x00f13fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000f20000 | 0x00f20000 | 0x00f20fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00f31fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x00f8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fb0000 | 0x00fb0000 | 0x010affff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x010b0000 | 0x0112dfff | Memory Mapped File | Readable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001480000 | 0x01480000 | 0x0148ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x01490000 | 0x01764fff | Memory Mapped File | Readable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007e3b0000 | 0x7e3b0000 | 0x7e4affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007e4b0000 | 0x7e4b0000 | 0x7e4d2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007e4d9000 | 0x7e4d9000 | 0x7e4d9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e4dc000 | 0x7e4dc000 | 0x7e4defff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007e4df000 | 0x7e4df000 | 0x7e4dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | - | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 178, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\tasklist.exe | os_pid = 0xb38, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\find.exe | os_pid = 0x954, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (21)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
5 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
2 |
Process #164: tasklist.exe
0
0
| Information | Value |
|---|---|
| ID | #164 |
| File Name | c:\windows\syswow64\tasklist.exe |
| Command Line | tasklist |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:03 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb38 |
| Parent PID | 0x4c8 (c:\windows\syswow64\ping.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AD8
0x
B20
0x
AE8
0x
A88
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| tasklist.exe | 0x000a0000 | 0x000b6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0056ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x0055ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x00563fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x00571fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x00572fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x0058efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x005cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x0060ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00613fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x00620fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x00631fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00640000 | 0x006bdfff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x006c0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x006e0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x006f3fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00700fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x00710fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0072ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000730000 | 0x00730000 | 0x0076ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x007affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007b0000 | 0x007b0000 | 0x007effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0080ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0090ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x00a97fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000aa0000 | 0x00aa0000 | 0x00c20fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000c30000 | 0x00c30000 | 0x0202ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000002030000 | 0x02030000 | 0x02171fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x02180000 | 0x02454fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000002460000 | 0x02460000 | 0x0285bfff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000002860000 | 0x02860000 | 0x0289ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000028a0000 | 0x028a0000 | 0x028dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000028e0000 | 0x028e0000 | 0x0291ffff | Private Memory | Readable, Writable |
|
|
|
- |
| fastprox.dll | 0x73360000 | 0x7340afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemsvc.dll | 0x73420000 | 0x7342ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winsta.dll | 0x73430000 | 0x73471fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemcomn.dll | 0x73480000 | 0x734e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wbemprox.dll | 0x734f0000 | 0x734fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wkscli.dll | 0x73530000 | 0x7353ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| srvcli.dll | 0x73540000 | 0x7355afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netutils.dll | 0x73560000 | 0x73569fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dbghelp.dll | 0x73570000 | 0x736b7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netapi32.dll | 0x736c0000 | 0x736d1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| framedynos.dll | 0x73da0000 | 0x73ddcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mpr.dll | 0x73de0000 | 0x73df3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| secur32.dll | 0x73e10000 | 0x73e18fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcrypt.dll | 0x73f20000 | 0x73f3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x73f40000 | 0x73f6efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x73f70000 | 0x73f87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x74310000 | 0x74317fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel.appcore.dll | 0x745f0000 | 0x745f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| combase.dll | 0x74bc0000 | 0x74d0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x74d10000 | 0x74d87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x74d90000 | 0x74e16fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x75360000 | 0x75456fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x75460000 | 0x755aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x75700000 | 0x7577cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x76c50000 | 0x76d5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76d70000 | 0x76db0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x76dc0000 | 0x76de4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x76ec0000 | 0x76fc7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x000000007ed4a000 | 0x7ed4a000 | 0x7ed4cfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ed4d000 | 0x7ed4d000 | 0x7ed4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x000000007ed50000 | 0x7ed50000 | 0x7ee4ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ee50000 | 0x7ee50000 | 0x7ee72fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ee74000 | 0x7ee74000 | 0x7ee74fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee77000 | 0x7ee77000 | 0x7ee79fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee7a000 | 0x7ee7a000 | 0x7ee7afff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ee7d000 | 0x7ee7d000 | 0x7ee7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #165: find.exe
0
0
| Information | Value |
|---|---|
| ID | #165 |
| File Name | c:\windows\syswow64\find.exe |
| Command Line | find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:03 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x954 |
| Parent PID | 0x4c8 (c:\windows\syswow64\ping.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AC8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000040000 | 0x00040000 | 0x0005ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x0004ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00053fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00061fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00063fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x0007efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x000bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00103fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x00121fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00130000 | 0x001adfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x004fffff | Private Memory | Readable, Writable |
|
|
|
- |
| find.exe | 0x011c0000 | 0x011c6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fsutilext.dll | 0x73410000 | 0x7341efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ulib.dll | 0x73500000 | 0x73520fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f3f0000 | 0x7f3f0000 | 0x7f4effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f4f0000 | 0x7f4f0000 | 0x7f512fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f51b000 | 0x7f51b000 | 0x7f51dfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f51e000 | 0x7f51e000 | 0x7f51efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f51f000 | 0x7f51f000 | 0x7f51ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Process #166: ping.exe
72
6
| Information | Value |
|---|---|
| ID | #166 |
| File Name | c:\windows\syswow64\ping.exe |
| Command Line | ping -n 3 127.1 |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:26, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa98 |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
798
0x
4C0
0x
604
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000520000 | 0x00520000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x0052ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x00533fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x00541fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x00542fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x0055efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0059ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x005e3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x005f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x00601fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00610000 | 0x0068dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x006cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x0070ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000710000 | 0x00710000 | 0x00710fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| ping.exe.mui | 0x00720000 | 0x00722fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0076ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x007affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x008cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x0090ffff | Private Memory | Readable, Writable |
|
|
|
- |
| ping.exe | 0x00940000 | 0x00948fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00abffff | Private Memory | Readable, Writable |
|
|
|
- |
| mswsock.dll | 0x73690000 | 0x736d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x73db0000 | 0x73db7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x73dc0000 | 0x73dddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| bcryptprimitives.dll | 0x74a60000 | 0x74ab2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x74ac0000 | 0x74ac8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x74ad0000 | 0x74aecfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x74e20000 | 0x74ed0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x74ee0000 | 0x74f2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x75a10000 | 0x75a4dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x76d60000 | 0x76d66fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007efa0000 | 0x7efa0000 | 0x7f09ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007f0a0000 | 0x7f0a0000 | 0x7f0c2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007f0c3000 | 0x7f0c3000 | 0x7f0c3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0c6000 | 0x7f0c6000 | 0x7f0c8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0c9000 | 0x7f0c9000 | 0x7f0cbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0cc000 | 0x7f0cc000 | 0x7f0cefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007f0cf000 | 0x7f0cf000 | 0x7f0cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (50)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
17 | |
| Open | STD_OUTPUT_HANDLE | - |
|
17 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 92 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 97 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | value_name = DefaultTTL, data = 0, type = REG_NONE |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\ping.exe | base_address = 0x940000 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
2 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = OutputEncoding |
|
17 |
Network Behavior
ICMP (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Send ICMP Echo | source_address = 0.0.0.0, destination_address = 127.0.0.1, timeout = 4000 |
|
3 |
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Address | address = 127.0.0.1, host_out = 127.0.0.1 |
|
2 | |
| Resolve Name | host = 127.1, address_out = 127.0.0.1 |
|
1 |
Process #167: cmd.exe
39
0
| Information | Value |
|---|---|
| ID | #167 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c tasklist|find /i "FRS_Decryptor.exe" |
| Initial Working Directory | C:\Users\5JgHKoaOfdp\Desktop\ |
| Monitor | Start Time: 00:02:28, Reason: Child Process |
| Unmonitor | End Time: 00:02:28, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x21c |
| Parent PID | 0xa5c (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | FIVAUF\5JgHKoaOfdp |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AA8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000930000 | 0x00930000 | 0x0094ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x0093ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x00943fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x00951fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x0096efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x009affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009b0000 | 0x009b0000 | 0x00aaffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x00ab3fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x00ac0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00ad1fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00ae0000 | 0x00b5dfff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000be0000 | 0x00be0000 | 0x00cdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00e9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cmd.exe | 0x01290000 | 0x012defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x74f70000 | 0x750affff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75940000 | 0x75a0efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x76df0000 | 0x76eadfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64cpu.dll | 0x76fd0000 | 0x76fd8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64win.dll | 0x76fe0000 | 0x77047fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wow64.dll | 0x77050000 | 0x77098fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x770a0000 | 0x77207fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007ede0000 | 0x7ede0000 | 0x7eedffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007eee0000 | 0x7eee0000 | 0x7ef02fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ef04000 | 0x7ef04000 | 0x7ef04fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef0c000 | 0x7ef0c000 | 0x7ef0efff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ef0f000 | 0x7ef0f000 | 0x7ef0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffb1d6dffff | Private Memory | Readable |
|
|
|
- |
| ntdll.dll | 0x7ffb1d6e0000 | 0x7ffb1d889fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x00007ffb1d88a000 | 0x7ffb1d88a000 | 0x7ffffffeffff | Private Memory | Readable |
|
|
|
- |
Host Behavior
File (5)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\5JgHKoaOfdp\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
2 | |
| Open | STD_INPUT_HANDLE | - |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 178, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x1290000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x74f70000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x74fb3daf |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x74f95d45 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x74f8d16f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x759cdda0 |
|
1 |
Environment (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\5JgHKoaOfdp\Desktop |
|
1 |
