75ca5c2caf5216140f8e3e34160bdc64ce59d75fce1feeaa809ec18f01427783 (SHA256)
volumesound.exe
Windows Exe (x86-32)
Created at 2018-11-06 10:28:00
Monitored Processes
Behavior Information - Grouped by Category
Process #1: volumesound.exe
329
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\ciihmnxmn6ps\desktop\volumesound.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\Desktop\volumesound.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:46, Reason: Analysis Target |
| Unmonitor | End Time: 00:01:30, Reason: Self Terminated |
| Monitor Duration | 00:00:44 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdd8 |
| Parent PID | 0x508 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DDC
0x
DE0
0x
DE4
0x
E40
0x
E44
0x
E48
0x
F20
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x001d0000 | 0x0028dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| msvfw32.dll.mui | 0x003f0000 | 0x003f1fff | Memory Mapped File | r |
|
|
|
- |
| volumesound.exe | 0x00400000 | 0x0046ffff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000470000 | 0x00470000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x005b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x005b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005d3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x005f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| windowsshell.manifest | 0x00610000 | 0x00610fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x00610fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0071ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x008a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x008b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008d0000 | 0x008d0000 | 0x0090ffff | Private Memory | rw |
|
|
|
- |
| display.pnf | 0x008d0000 | 0x008d1fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x008e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x008f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000910000 | 0x00910000 | 0x00913fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00920fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x00930fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x00940fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x00942fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0095ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x00ae0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x01eeffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001ef0000 | 0x01ef0000 | 0x0202ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001ef0000 | 0x01ef0000 | 0x01fa7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001fb0000 | 0x01fb0000 | 0x01fb0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001fc0000 | 0x01fc0000 | 0x01ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002000000 | 0x02000000 | 0x02008fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002010000 | 0x02010000 | 0x02010fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002020000 | 0x02020000 | 0x0202ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002030000 | 0x02030000 | 0x02053fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002030000 | 0x02030000 | 0x02030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002030000 | 0x02030000 | 0x02030fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002040000 | 0x02040000 | 0x02046fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002050000 | 0x02050000 | 0x02056fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002060000 | 0x02060000 | 0x02083fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002090000 | 0x02090000 | 0x02098fff | Private Memory | rw |
|
|
|
- |
| imageres.dll.mui | 0x020a0000 | 0x020a0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000020a0000 | 0x020a0000 | 0x020a0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000020a0000 | 0x020a0000 | 0x020dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000020e0000 | 0x020e0000 | 0x020effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x020f0000 | 0x02426fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002430000 | 0x02430000 | 0x0252ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002530000 | 0x02530000 | 0x0262ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002630000 | 0x02630000 | 0x0272ffff | Private Memory | rw |
|
|
|
- |
| imageres.dll | 0x02730000 | 0x05344fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002730000 | 0x02730000 | 0x02777fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002780000 | 0x02780000 | 0x0287ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002880000 | 0x02880000 | 0x02a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a80000 | 0x02a80000 | 0x02e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e80000 | 0x02e80000 | 0x0367ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003680000 | 0x03680000 | 0x0377ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003780000 | 0x03780000 | 0x0474ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004750000 | 0x04750000 | 0x047cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000047d0000 | 0x047d0000 | 0x048cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000048d0000 | 0x048d0000 | 0x049cffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x73e10000 | 0x73e17fff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x73e20000 | 0x73e63fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x73e70000 | 0x73e88fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x73e90000 | 0x73ebefff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x73ec0000 | 0x73ed2fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x73ee0000 | 0x7403ffff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x74040000 | 0x74300fff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74310000 | 0x7432afff | Memory Mapped File | rwx |
|
|
|
- |
| windowscodecs.dll | 0x74330000 | 0x744a0fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x744b0000 | 0x745f1fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74600000 | 0x74808fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x74810000 | 0x74833fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x74840000 | 0x74860fff | Memory Mapped File | rwx |
|
|
|
- |
| winmmbase.dll | 0x74870000 | 0x74892fff | Memory Mapped File | rwx |
|
|
|
- |
| msacm32.dll | 0x748a0000 | 0x748b7fff | Memory Mapped File | rwx |
|
|
|
- |
| msvfw32.dll | 0x748c0000 | 0x748e2fff | Memory Mapped File | rwx |
|
|
|
- |
| avifil32.dll | 0x748f0000 | 0x7490bfff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x74910000 | 0x74926fff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x74930000 | 0x74b53fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74b60000 | 0x74bf1fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75220000 | 0x75255fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76820000 | 0x768a1fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76a90000 | 0x76c34fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x76d30000 | 0x76d3dfff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x76d40000 | 0x76d81fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x773d0000 | 0x773d5fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x77ab0000 | 0x77c24fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007fea7000 | 0x7fea7000 | 0x7fea9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007feaa000 | 0x7feaa000 | 0x7feacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fead000 | 0x7fead000 | 0x7feaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007feb0000 | 0x7feb0000 | 0x7ffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (26)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | file_attributes = _O_WRONLY |
|
1 | ||
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\F57916AF | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\F57916AF | desired_access = GENERIC_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\FA6AEE10 | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
6 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\FA6AEE10 | desired_access = GENERIC_READ |
|
6 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\volumesound.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | - | - |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | STD_ERROR_HANDLE | size = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\volumesound.exe | size = 64, size_out = 64 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\volumesound.exe | size = 20, size_out = 20 |
|
1 | |
| Write | - | size = 0 |
|
1 | |
| Write | System Paging File | size = 0 |
|
1 |
Registry (18)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
6 | |
| Open Key | HKEY_LOCAL_MACHINE\HARDWARE\Description\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
6 | |
| Read Value | HKEY_LOCAL_MACHINE\HARDWARE\Description\System | value_name = VideoBiosVersion, data = 0 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
2 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\explorer.exe | os_pid = 0xf48, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Get Info | C:\Windows\SysWOW64\explorer.exe | type = PROCESS_BASIC_INFORMATION |
|
1 |
Thread (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Resume | c:\users\ciihmnxmn6ps\desktop\volumesound.exe | os_tid = 0xf20 |
|
1 |
Memory (5)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Protect | C:\Windows\SysWOW64\explorer.exe | address = 0xb3dea0, protection = PAGE_EXECUTE_READWRITE, size = 684 |
|
1 | |
| Read | C:\Windows\SysWOW64\explorer.exe | address = 0x7f587008, size = 4 |
|
1 | |
| Read | C:\Windows\SysWOW64\explorer.exe | address = 0xaa0000, size = 4096 |
|
1 | |
| Read | C:\Windows\SysWOW64\explorer.exe | address = 0xaa00e8, size = 4096 |
|
1 | |
| Write | C:\Windows\SysWOW64\explorer.exe | address = 0xb3dea0, size = 684 |
|
1 |
Module (91)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NTDLL | base_address = 0x77ca0000 |
|
10 | |
| Load | ntdll | base_address = 0x77ca0000 |
|
1 | |
| Load | user32 | base_address = 0x77150000 |
|
1 | |
| Load | Psapi | base_address = 0x773d0000 |
|
1 | |
| Load | winsta.dll | base_address = 0x73e20000 |
|
1 | |
| Load | gdi32 | base_address = 0x77000000 |
|
1 | |
| Load | advapi32 | base_address = 0x76a10000 |
|
1 | |
| Load | shlwapi | base_address = 0x77290000 |
|
1 | |
| Load | shell32 | base_address = 0x75430000 |
|
1 | |
| Load | ole32 | base_address = 0x768b0000 |
|
1 | |
| Load | api-ms-win-core-com-l1-1-0 | base_address = 0x76e40000 |
|
2 | |
| Load | oleaut32 | base_address = 0x76c90000 |
|
1 | |
| Load | version | base_address = 0x73e10000 |
|
1 | |
| Load | crypt32 | base_address = 0x77ab0000 |
|
1 | |
| Load | setupapi | base_address = 0x76a90000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
15 | |
| Get Handle | c:\users\ciihmnxmn6ps\desktop\volumesound.exe | base_address = 0x400000 |
|
8 | |
| Get Handle | c:\windows\syswow64\ntdll.dll | base_address = 0x77ca0000 |
|
2 | |
| Get Handle | c:\windows\syswow64\advapi32.dll | base_address = 0x76a10000 |
|
2 | |
| Get Handle | sbiedll.dll | base_address = 0x0 |
|
1 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\desktop\volumesound.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\volumesound.exe, size = 260 |
|
1 | |
| Get Filename | c:\users\ciihmnxmn6ps\desktop\volumesound.exe | process_name = c:\users\ciihmnxmn6ps\desktop\volumesound.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\volumesound.exe, size = 260 |
|
1 | |
| Get Filename | sbiedll.dll | process_name = c:\users\ciihmnxmn6ps\desktop\volumesound.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\volumesound.exe, size = 501 |
|
1 | |
| Get Filename | sbiedll.dll | process_name = c:\users\ciihmnxmn6ps\desktop\volumesound.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\volumesound.exe, size = 259 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77cff190 |
|
9 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77cfa200 |
|
6 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75279680 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlReAllocateHeap, address_out = 0x77cdbae0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlAllocateHeap, address_out = 0x77cdda90 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlSizeHeap, address_out = 0x77cf4f40 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlExitUserThread, address_out = 0x77d02570 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlInitializeCriticalSection, address_out = 0x77cf95f0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlEnterCriticalSection, address_out = 0x77ce5e80 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlLeaveCriticalSection, address_out = 0x77ce5e00 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlDeleteCriticalSection, address_out = 0x77cf9920 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlAddVectoredExceptionHandler, address_out = 0x77cff090 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlRemoveVectoredExceptionHandler, address_out = 0x77cc8870 |
|
1 | |
| Get Address | c:\windows\syswow64\combase.dll | function = CoCreateInstance, address_out = 0x76ee8200 |
|
1 | |
| Get Address | c:\windows\syswow64\combase.dll | function = CoUninitialize, address_out = 0x76eadca0 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 65592 |
|
1 | |
| Map | - | process_name = c:\users\ciihmnxmn6ps\desktop\volumesound.exe, desired_access = FILE_MAP_ALL_ACCESS |
|
1 |
Window (12)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | Lambda HTML Editor | class_name = Lambda, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = ToolbarWindow32, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = SysTreeView32, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = STATIC, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = SysTabControl32, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = LambdaEditor, wndproc_parameter = 0 |
|
1 | |
| Set Attribute | - | class_name = ToolbarWindow32, index = 18446744073709551612, new_long = 4321264 |
|
1 | |
| Set Attribute | - | class_name = SysTreeView32, index = 18446744073709551595, new_long = 33686728 |
|
1 | |
| Set Attribute | - | class_name = SysTreeView32, index = 18446744073709551612, new_long = 4251648 |
|
1 | |
| Set Attribute | - | class_name = STATIC, index = 18446744073709551612, new_long = 4294976 |
|
1 | |
| Set Attribute | - | class_name = SysTabControl32, index = 18446744073709551612, new_long = 4297168 |
|
1 | |
| Set Attribute | - | class_name = LambdaEditor, index = 18446744073709551595, new_long = 33689992 |
|
1 |
System (114)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
8 | |
| Get Cursor | x_out = 1388, y_out = 546 |
|
88 | |
| Get Cursor | x_out = 28, y_out = 227 |
|
1 | |
| Sleep | duration = 500 milliseconds (0.500 seconds) |
|
11 | |
| Get Time | type = System Time, time = 2018-11-06 10:30:03 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 143281 |
|
1 | |
| Get Time | type = Ticks, time = 143796 |
|
1 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 |
Mutex (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Lambda |
|
1 | |
| Open | mutex_name = Lambda, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 | |
| Open | mutex_name = Global\UzFCA0D558, desired_access = SYNCHRONIZE |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Ini (38)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Lambda, key_name = AllowMultipleInstance, default_value = false, data_out = false |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Lambda, key_name = AutoConvertChars, default_value = true, data_out = true |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Lambda, key_name = AutomaticlyUpdate, default_value = false, data_out = false |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Lambda, key_name = OpenUnsupportedFiles, default_value = false, data_out = false |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Lambda, key_name = UseDefaultInternetBrowser, default_value = true, data_out = true |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Lambda, key_name = InternetBrowser, default_value = iexplore.exe, data_out = iexplore.exe |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Lambda, key_name = HideExplorer, default_value = false, data_out = false |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Lambda, key_name = HideSplitter, default_value = false, data_out = false |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Lambda, key_name = Left, default_value = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Lambda, key_name = Top, default_value = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Lambda, key_name = Height, default_value = 400 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Lambda, key_name = Width, default_value = 800 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Project Explorer, key_name = OpenOnSingleClick, default_value = false, data_out = false |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Project Explorer, key_name = RenameOnClick, default_value = false, data_out = false |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Project Explorer, key_name = AutomaticlyHide, default_value = false, data_out = false |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Project Explorer, key_name = AutomaticHideDelay, default_value = 2 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Project Explorer, key_name = Width, default_value = 200 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Editor, key_name = OverwriteEmptyDocuments, default_value = true, data_out = true |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Editor, key_name = OverwriteSelectedText, default_value = true, data_out = true |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Editor, key_name = OverwriteTypingMode, default_value = false, data_out = false |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Editor, key_name = IndentAutomaticly, default_value = true, data_out = true |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Editor, key_name = GroupUndos, default_value = false, data_out = false |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Editor, key_name = SelectLineOnDoubleClick, default_value = false, data_out = false |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Editor, key_name = SpaceSeparatedWords, default_value = false, data_out = false |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Editor, key_name = TabIndentsLines, default_value = true, data_out = true |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Editor, key_name = TabSize, default_value = 4 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Editor, key_name = UseDefaultScrollLineCount, default_value = true, data_out = true |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Editor, key_name = ScrollLineCount, default_value = 3 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Editor, key_name = GutterVisible, default_value = true, data_out = true |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Editor, key_name = MarginVisible, default_value = true, data_out = true |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Editor, key_name = LineNumbersVisible, default_value = true, data_out = true |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Editor, key_name = AutomaticlyResizeGutter, default_value = true, data_out = true |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Editor, key_name = GutterSize, default_value = 22 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Editor, key_name = MarginSize, default_value = 80 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Editor, key_name = EditorFontName, default_value = Courier New, data_out = Courier New |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Editor, key_name = EditorFontSize, default_value = 10 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Editor, key_name = GutterFontName, default_value = Courier New, data_out = Courier New |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini | section_name = Editor, key_name = GutterFontSize, default_value = 10 |
|
1 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\ciihmnxmn6ps\desktop\volumesound.exe | - |
|
1 |
Process #2: explorer.exe
335
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\syswow64\explorer.exe |
| Command Line | C:\Windows\SysWOW64\explorer.exe |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:23, Reason: Child Process |
| Unmonitor | End Time: 00:04:47, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:24 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf48 |
| Parent PID | 0xdd8 (c:\users\ciihmnxmn6ps\desktop\volumesound.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F4C
0x
F60
0x
F64
0x
F68
0x
F6C
0x
884
0x
300
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000420000 | 0x00420000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x0042ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x00433fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x00440fff | Private Memory | rw |
|
|
|
- |
| explorer.exe.mui | 0x00440000 | 0x00447fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00463fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x004f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00502fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x00511fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00520000 | 0x005ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x00620fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x00630fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x00653fff | Private Memory | rw |
|
|
|
- |
| display.pnf | 0x00660000 | 0x00661fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x00660fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x00670fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x00673fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000780000 | 0x00780000 | 0x007bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008d0fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000008e0000 | 0x008e0000 | 0x00949fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x0097ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x009bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000a40000 | 0x00a40000 | 0x00a4ffff | Private Memory | rw |
|
|
|
- |
| explorer.exe | 0x00aa0000 | 0x00e76fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000e80000 | 0x00e80000 | 0x04e7ffff | Pagefile Backed Memory | - |
|
|
|
- |
| pagefile_0x0000000004e80000 | 0x04e80000 | 0x05007fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005010000 | 0x05010000 | 0x05190fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000051a0000 | 0x051a0000 | 0x0659ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x065a0000 | 0x068d6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000068e0000 | 0x068e0000 | 0x06997fff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| wsock32.dll | 0x739d0000 | 0x739d7fff | Memory Mapped File | rwx |
|
|
|
- |
| dxgi.dll | 0x739e0000 | 0x73a5dfff | Memory Mapped File | rwx |
|
|
|
- |
| sppc.dll | 0x73a60000 | 0x73a7cfff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x73a80000 | 0x73aa0fff | Memory Mapped File | rwx |
|
|
|
- |
| dcomp.dll | 0x73ab0000 | 0x73b4bfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x73b50000 | 0x73d62fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.dll | 0x73d70000 | 0x73e08fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x73e10000 | 0x73e17fff | Memory Mapped File | rwx |
|
|
|
- |
| winsta.dll | 0x73e20000 | 0x73e63fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x73e70000 | 0x73e88fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x744b0000 | 0x745f1fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x74840000 | 0x74860fff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x74930000 | 0x74b53fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75220000 | 0x75255fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x769b0000 | 0x76a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76a90000 | 0x76c34fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x76d30000 | 0x76d3dfff | Memory Mapped File | rwx |
|
|
|
- |
| wintrust.dll | 0x76d40000 | 0x76d81fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x773d0000 | 0x773d5fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x773e0000 | 0x773e6fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x77ab0000 | 0x77c24fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007f457000 | 0x7f457000 | 0x7f459fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f45a000 | 0x7f45a000 | 0x7f45cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f45d000 | 0x7f45d000 | 0x7f45ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007f460000 | 0x7f460000 | 0x7f55ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007f560000 | 0x7f560000 | 0x7f582fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f584000 | 0x7f584000 | 0x7f586fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f587000 | 0x7f587000 | 0x7f587fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f58a000 | 0x7f58a000 | 0x7f58cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007f58d000 | 0x7f58d000 | 0x7f58dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7df8ee37ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007df8ee380000 | 0x7df8ee380000 | 0x7ff8ee37ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\volumesound.exe | 0xf20 | address = 0xb3dea0, size = 684 |
|
1 |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\Desktop\volumesound.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\volumesound.exe | type = size |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop\volumesound.exe | size = 432128, size_out = 432128 |
|
1 |
Registry (10)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\137FBF1F\ | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductID, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductID, data = 48 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductName, data = 87 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = CurrentVersion, data = 54 |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = InstallDate, data = 65 |
|
1 |
Module (115)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | NTDLL | base_address = 0x77ca0000 |
|
20 | |
| Load | ntdll | base_address = 0x77ca0000 |
|
2 | |
| Load | user32 | base_address = 0x77150000 |
|
2 | |
| Load | Psapi | base_address = 0x773d0000 |
|
2 | |
| Load | winsta.dll | base_address = 0x73e20000 |
|
2 | |
| Load | gdi32 | base_address = 0x77000000 |
|
2 | |
| Load | advapi32 | base_address = 0x76a10000 |
|
2 | |
| Load | shlwapi | base_address = 0x77290000 |
|
2 | |
| Load | shell32 | base_address = 0x75430000 |
|
2 | |
| Load | ole32 | base_address = 0x768b0000 |
|
2 | |
| Load | api-ms-win-core-com-l1-1-0 | base_address = 0x76e40000 |
|
4 | |
| Load | oleaut32 | base_address = 0x76c90000 |
|
2 | |
| Load | version | base_address = 0x73e10000 |
|
2 | |
| Load | crypt32 | base_address = 0x77ab0000 |
|
2 | |
| Load | wsock32 | base_address = 0x739d0000 |
|
1 | |
| Load | ws2_32 | base_address = 0x769b0000 |
|
19 | |
| Load | wininet | base_address = 0x74930000 |
|
1 | |
| Load | setupapi | base_address = 0x76a90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\explorer.exe, file_name_orig = C:\Windows\SysWOW64\explorer.exe, size = 1025 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlReAllocateHeap, address_out = 0x77cdbae0 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlAllocateHeap, address_out = 0x77cdda90 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlSizeHeap, address_out = 0x77cf4f40 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlExitUserThread, address_out = 0x77d02570 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlInitializeCriticalSection, address_out = 0x77cf95f0 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlEnterCriticalSection, address_out = 0x77ce5e80 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlLeaveCriticalSection, address_out = 0x77ce5e00 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlDeleteCriticalSection, address_out = 0x77cf9920 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlAddVectoredExceptionHandler, address_out = 0x77cff090 |
|
2 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = RtlRemoveVectoredExceptionHandler, address_out = 0x77cc8870 |
|
2 | |
| Get Address | c:\windows\syswow64\combase.dll | function = CoCreateInstance, address_out = 0x76ee8200 |
|
2 | |
| Get Address | c:\windows\syswow64\combase.dll | function = CoUninitialize, address_out = 0x76eadca0 |
|
2 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getpeername, address_out = 0x769c12c0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = inet_ntoa, address_out = 0x769c4b00 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ntohs, address_out = 0x769c3650 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = send, address_out = 0x769bce20 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = connect, address_out = 0x769c33a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = select, address_out = 0x769c48e0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ioctlsocket, address_out = 0x769bd860 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = socket, address_out = 0x769b9780 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = closesocket, address_out = 0x769b9ba0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAStartup, address_out = 0x769c2420 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = bind, address_out = 0x769be0f0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = listen, address_out = 0x769c3f40 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = accept, address_out = 0x769c4030 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = __WSAFDIsSet, address_out = 0x769c2f20 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = htons, address_out = 0x769c3650 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSACleanup, address_out = 0x769bda00 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostname, address_out = 0x769dc920 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostbyname, address_out = 0x769dc790 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = inet_addr, address_out = 0x769c2e90 |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = B6BD1409FA131780, wndproc_parameter = 0 |
|
1 |
System (201)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
196 | |
| Get Time | type = System Time, time = 2018-11-06 10:30:16 (UTC) |
|
2 | |
| Get Info | type = Operating System |
|
2 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\UzFCA0D558 |
|
1 |
