9b86a50b...0ad2 | Grouped Behavior
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Trojan, Ransomware

9b86a50b36aea5cc4cb60573a3660cf799a9ec1f69a3d4572d3dc277361a0ad2 (SHA256)

xhcdxx.exe

Windows Exe (x86-64)

Created at 2018-11-27 19:38:00

...

Notifications (2/3)

Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.

The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.

The operating system was rebooted during the analysis.

Grouped Sequential

Monitored Processes

Process Graph

Process Graph Legend
Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0xb0 Analysis Target High (Elevated) xhcdxx.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xhcdxx.exe" -
#2 0xf0 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F #1
#3 0x3c8 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F #1
#4 0x578 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F #1
#5 0x308 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F #1
#6 0x7f0 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F #1
#7 0x7f4 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM excel.exe /F #1
#8 0x814 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F #1
#9 0x82c Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM infopath.exe /F #1
#10 0x848 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F #1
#11 0x868 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F #1
#12 0x880 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F #1
#13 0x8a8 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mspub.exe /F #1
#14 0x8c0 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F #1
#15 0x91c Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F #1
#16 0x960 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F #1
#18 0xa58 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F #1
#19 0xa6c Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F #1
#20 0xa9c Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F #1
#21 0xab8 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F #1
#22 0xb2c Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F #1
#23 0xb44 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM onenote.exe /F #1
#25 0xb94 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM oracle.exe /F #1
#26 0xbb0 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM outlook.exe /F #1
#27 0xbe8 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F #1
#28 0x81c Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F #1
#29 0x924 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F #1
#30 0xa84 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F #1
#31 0x824 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F #1
#32 0xc08 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F #1
#33 0xc4c Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM steam.exe /F #1
#34 0xc64 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM synctime.exe /F #1
#35 0xcbc Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F #1
#36 0xce0 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM thebat.exe /F #1
#37 0xd40 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F #1
#38 0xd68 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F #1
#39 0xdb4 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM visio.exe /F #1
#40 0xddc Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM winword.exe /F #1
#41 0xe2c Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F #1
#42 0xe44 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F #1
#43 0xe90 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F #1
#44 0xeac Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F #1
#45 0xedc Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F #1
#46 0xef0 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F #1
#47 0xf14 Child Process High (Elevated) taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F #1
#48 0xf7c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y #1
#49 0xf8c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y #1
#50 0xfb4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos Agent" /y #1
#51 0xff0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y #1
#52 0xc10 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y #1
#53 0xce8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos Agent" /y #50
#54 0xcf8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Enterprise Client Service" /y #49
#55 0xdbc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Acronis VSS Provider" /y #48
#56 0xde4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y #1
#57 0xeb4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y #1
#58 0xf04 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos Clean Service" /y #52
#59 0xfc8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos Health Service" /y #1
#60 0xec0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y #1
#61 0x1010 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y #1
#62 0x101c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y #51
#63 0x1034 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos Message Router" /y #1
#64 0x1048 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y #1
#65 0x106c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos Device Control Service" /y #56
#66 0x1074 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y #57
#67 0x1080 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y #1
#68 0x108c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos Health Service" /y #59
#69 0x1094 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos MCS Agent" /y #60
#70 0x10a8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y #1
#71 0x10c0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos Message Router" /y #63
#72 0x10cc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos MCS Client" /y #61
#73 0x10d4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y #1
#74 0x10f4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y #1
#75 0x1120 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos System Protection Service" /y #67
#76 0x1128 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y #1
#77 0x1138 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos Safestore Service" /y #64
#78 0x1144 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Sophos Web Control Service" /y #70
#79 0x1154 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y #1
#80 0x1160 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y #73
#81 0x117c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop AcronisAgent /y #1
#82 0x1190 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop AcrSch2Svc /y #1
#83 0x11a8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y #74
#84 0x1270 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop Antivirus /y #1
#85 0x1290 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ARSM /y #1
#86 0x12a0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop AcrSch2Svc /y #82
#87 0x12a8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop AcronisAgent /y #81
#88 0x12b0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Symantec System Recovery" /y #76
#89 0x12b8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y #79
#90 0x12c8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y #1
#91 0x12d4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop Antivirus /y #84
#92 0x12ec Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y #1
#93 0x1300 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y #1
#94 0x1320 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ARSM /y #85
#95 0x1328 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop BackupExecJobEngine /y #1
#96 0x133c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop BackupExecManagementService /y #1
#97 0x1350 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop BackupExecRPCService /y #1
#98 0x137c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y #90
#99 0x1384 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y #93
#100 0x138c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop BackupExecAgentBrowser /y #92
#101 0x1394 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y #1
#102 0x13b4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop bedbg /y #1
#103 0x13c0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop BackupExecJobEngine /y #95
#104 0x13c8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop BackupExecManagementService /y #96
#105 0x13d0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop BackupExecRPCService /y #97
#106 0x13ec Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop DCAgent /y #1
#107 0xe40 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop BackupExecVSSProvider /y #101
#108 0x1028 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop EPSecurityService /y #1
#109 0x1050 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop EPUpdateService /y #1
#110 0xcdc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop bedbg /y #102
#111 0xff0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop DCAgent /y #106
#112 0x1088 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop EraserSvc11710 /y #1
#113 0xf90 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop EsgShKernel /y #1
#114 0x1070 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop FA_Scheduler /y #1
#115 0x108c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop IISAdmin /y #1
#116 0x1094 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop EPUpdateService /y #109
#117 0xfb4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop EPSecurityService /y #108
#118 0xfa8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop IMAP4Svc /y #1
#119 0xf94 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop EraserSvc11710 /y #112
#120 0xde4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop macmnsvc /y #1
#121 0xef8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop masvc /y #1
#122 0x1014 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop FA_Scheduler /y #114
#123 0xfc8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop EsgShKernel /y #113
#124 0x1058 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop IISAdmin /y #115
#125 0x1034 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MBAMService /y #1
#126 0x10fc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop IMAP4Svc /y #118
#127 0x1124 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MBEndpointAgent /y #1
#128 0x10bc Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop McAfeeEngineService /y #1
#129 0x1100 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop McAfeeFramework /y #1
#130 0xa4c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MBEndpointAgent /y #127
#131 0xa40 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop macmnsvc /y #120
#132 0x10b4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop masvc /y #121
#133 0x118c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MBAMService /y #125
#134 0x11a8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y #1
#135 0x97c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop McShield /y #1
#136 0x890 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop McAfeeEngineService /y #128
#137 0x10f4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop McAfeeFramework /y #129
#138 0xb00 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop McTaskManager /y #1
#139 0xae4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop mfemms /y #1
#140 0x11e0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y #134
#141 0xadc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop McShield /y #135
#142 0xb78 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop mfevtp /y #1
#143 0x990 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MMS /y #1
#144 0x9b4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop McTaskManager /y #138
#145 0xb80 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop mfemms /y #139
#146 0x94c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop mozyprobackup /y #1
#147 0x1204 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MsDtsServer /y #1
#148 0xbf0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MMS /y #143
#149 0x974 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop mfevtp /y #142
#150 0x944 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MsDtsServer100 /y #1
#151 0xb20 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MsDtsServer110 /y #1
#152 0x8d0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MsDtsServer /y #147
#153 0xaf0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop mozyprobackup /y #146
#154 0x7f0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSExchangeES /y #1
#155 0x870 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSExchangeIS /y #1
#156 0x96c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSExchangeMGMT /y #1
#157 0xaac Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MsDtsServer100 /y #150
#158 0x8d4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MsDtsServer110 /y #151
#159 0x7e0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSExchangeMTA /y #1
#160 0x92c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSExchangeSA /y #1
#161 0x918 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSExchangeES /y #154
#162 0x8e8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSExchangeIS /y #155
#163 0x884 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSExchangeMGMT /y #156
#164 0x940 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSExchangeSRS /y #1
#165 0x818 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y #1
#166 0xb4c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y #1
#167 0xb48 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSExchangeMTA /y #159
#168 0xab8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSOLAP$TPS /y #1
#169 0x828 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y #1
#170 0x5c4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSExchangeSA /y #160
#171 0xb8c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSExchangeSRS /y #164
#172 0x9c8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y #165
#173 0x938 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y #1
#174 0xc28 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y #166
#175 0xb3c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y #1
#176 0x7c4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y #1
#177 0xb94 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSOLAP$TPS /y #168
#178 0xba8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y #1
#179 0x89c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y #169
#180 0xba4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y #1
#181 0x8a8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y #1
#182 0xa34 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y #173
#183 0xab4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y #176
#184 0x127c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y #175
#185 0x1280 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y #178
#186 0x1160 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y #1
#187 0xa30 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y #1
#188 0x12b4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y #1
#189 0x1288 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$TPS /y #1
#190 0x1190 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y #1
#191 0x1310 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y #187
#192 0x1180 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y #180
#193 0x1274 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y #181
#194 0x11a4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y #186
#195 0x1218 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y #1
#196 0x1324 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y #1
#197 0x134c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y #188
#198 0x1358 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$TPS /y #189
#199 0x1380 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y #1
#200 0x1384 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$TPSAMA /y #190
#201 0x13e4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y #1
#202 0x1390 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y #1
#203 0x81c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y #195
#204 0x83c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y #196
#205 0x136c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y #1
#206 0x12f0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y #1
#207 0x1354 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y #1
#208 0x1368 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y #1
#209 0x1360 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y #205
#210 0x1328 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher /y #199
#211 0x1334 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y #201
#212 0xdd8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y #1
#213 0xf04 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y #202
#214 0xcdc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y #206
#215 0x1064 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLSERVER /y #1
#216 0x13e0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y #207
#217 0x1020 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y #1
#218 0xb34 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y #208
#219 0xf84 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y #212
#220 0x1078 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y #1
#221 0x1028 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MySQL80 /y #1
#222 0x10b0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MySQL57 /y #1
#223 0x1264 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y #217
#224 0x1050 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ntrtscan /y #1
#225 0x101c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLSERVER /y #215
#226 0x10c4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop OracleClientCache80 /y #1
#227 0x1088 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop PDVFSService /y #1
#228 0x1040 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop POP3Svc /y #1
#229 0xc84 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ReportServer /y #1
#230 0x1130 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y #1
#231 0x1070 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y #1
#232 0xf90 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ReportServer$TPS /y #1
#233 0x1004 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ReportServer /y #229
#234 0xfa8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y #230
#235 0x10ac Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y #1
#236 0x118c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop RESvc /y #1
#237 0xa4c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ReportServer$TPS /y #232
#238 0x104c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y #231
#239 0x1080 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop sacsvr /y #1
#240 0x1084 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SamSs /y #1
#241 0xc24 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ReportServer$TPSAMA /y #235
#242 0x1030 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop RESvc /y #236
#243 0x11d0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SAVAdminService /y #1
#244 0x11e8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SAVService /y #1
#245 0x11e0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SamSs /y #240
#246 0x9b8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop sacsvr /y #239
#247 0x11a8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SDRSVC /y #1
#248 0x1200 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SepMasterService /y #1
#249 0x988 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SAVService /y #244
#250 0x998 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SAVAdminService /y #243
#251 0x7fc Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ShMonitor /y #1
#252 0x414 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SepMasterService /y #248
#253 0x1204 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLServerOLAPService /y #220
#254 0xbc4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MySQL57 /y #222
#255 0xbe4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop OracleClientCache80 /y #226
#256 0xaec Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop Smcinst /y #1
#257 0x950 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SDRSVC /y #247
#258 0x8e0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SmcService /y #1
#259 0xa7c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SMTPSvc /y #1
#260 0xb54 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MySQL80 /y #221
#261 0xaa0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ShMonitor /y #251
#262 0x884 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop PDVFSService /y #227
#263 0x6dc Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SNAC /y #1
#264 0x121c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop POP3Svc /y #228
#265 0xc30 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ntrtscan /y #224
#266 0x920 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SmcService /y #258
#267 0xb50 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop Smcinst /y #256
#268 0x96c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SntpService /y #1
#269 0xa1c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop sophossps /y #1
#270 0x898 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SNAC /y #263
#271 0xc14 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SMTPSvc /y #259
#272 0xd78 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y #1
#273 0x854 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SntpService /y #268
#274 0x80c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y #1
#275 0xf0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop sophossps /y #269
#276 0xecc Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y #1
#277 0xd4c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y #272
#278 0xa9c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y #1
#279 0xd0c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y #1
#280 0xab0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y #1
#281 0x860 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y #1
#282 0x82c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y #274
#283 0xfe0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y #1
#284 0xfd8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y #276
#285 0xca4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y #280
#286 0xc28 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y #279
#287 0x8a4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y #278
#288 0xf3c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y #1
#289 0xe48 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$TPS /y #1
#290 0x9c8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y #1
#291 0x61c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y #281
#292 0xd38 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y #283
#293 0xc68 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y #1
#294 0xd44 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$TPS /y #289
#295 0xe68 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y #288
#296 0xdb8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y #1
#297 0xdb0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLBrowser /y #1
#298 0x84c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y #290
#299 0x928 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLSafeOLRService /y #1
#300 0xd74 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y #1
#301 0xe94 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLTELEMETRY /y #1
#302 0xeb0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y #293
#303 0xf88 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y #296
#304 0xee0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLSafeOLRService /y #299
#305 0xc48 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y #1
#306 0x808 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLWriter /y #1
#307 0xe64 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLTELEMETRY /y #301
#308 0xed4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLSERVERAGENT /y #300
#309 0xef0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLBrowser /y #297
#310 0x92c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SstpSvc /y #1
#311 0x908 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop svcGenericHost /y #1
#312 0xf14 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLWriter /y #306
#313 0xc08 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y #305
#314 0xe3c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop swi_service /y #1
#315 0xdc0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop svcGenericHost /y #311
#316 0xe54 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SstpSvc /y #310
#317 0x115c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop swi_update_64 /y #1
#318 0x890 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop TmCCSF /y #1
#319 0xd40 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop swi_service /y #314
#320 0xdf0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop tmlisten /y #1
#321 0x95c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop TrueKey /y #1
#322 0x79c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop swi_update_64 /y #317
#323 0x8b8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop TmCCSF /y #318
#324 0xd04 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop TrueKeyScheduler /y #1
#325 0x1198 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y #1
#326 0x540 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop UI0Detect /y #1
#327 0xb44 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamBackupSvc /y #1
#328 0x91c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop TrueKey /y #321
#329 0x404 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop tmlisten /y #320
#330 0xb3c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop TrueKeyScheduler /y #324
#331 0x11a4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop TrueKeyServiceHelper /y #325
#332 0x12fc Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y #1
#333 0x1160 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y #1
#334 0x1308 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamBackupSvc /y #327
#335 0xb5c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop UI0Detect /y #326
#336 0x10e0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamCloudSvc /y #1
#337 0x8a8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamDeploymentService /y #1
#338 0x1358 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamBrokerSvc /y #332
#339 0x13dc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamCatalogSvc /y #333
#340 0x13d4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamDeploySvc /y #1
#341 0x13c8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y #1
#342 0x1188 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamMountSvc /y #1
#343 0x12b0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamCloudSvc /y #336
#344 0x12e4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamDeploymentService /y #337
#345 0xac0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamNFSSvc /y #1
#346 0x1344 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamRESTSvc /y #1
#347 0x1348 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamTransportSvc /y #1
#348 0x1360 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop W3Svc /y #1
#349 0x136c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y #341
#350 0x1370 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamDeploySvc /y #340
#351 0x13cc Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamNFSSvc /y #345
#352 0xc38 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop wbengine /y #1
#353 0xc34 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamMountSvc /y #342
#354 0x13b4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop WRSVC /y #1
#355 0xfec Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamTransportSvc /y #347
#356 0x13bc Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y #1
#357 0x1390 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamRESTSvc /y #346
#358 0x1008 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop wbengine /y #352
#359 0x1094 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop W3Svc /y #348
#360 0x100c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y #1
#361 0xfb4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y #1
#362 0x105c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop WRSVC /y #354
#363 0x101c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y #360
#364 0x103c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y #356
#365 0xfe4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop swi_update /y #1
#366 0xdd8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y #1
#367 0xc6c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y #361
#368 0x1064 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y #1
#369 0xd48 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "SQL Backups" /y #1
#370 0x1038 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$CXDB /y #366
#371 0xfa8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop swi_update /y #365
#372 0x1058 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$PROD /y #1
#373 0x104c Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y #1
#374 0x11c4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "SQL Backups" /y #369
#375 0xc24 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y #368
#376 0xfa4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y #1
#377 0x1068 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$PROD /y #1
#378 0x109c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop "Zoolz 2 Service" /y #373
#379 0x11e0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$PROD /y #372
#380 0xa48 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop msftesql$PROD /y #1
#381 0x1130 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop NetMsmqActivator /y #1
#382 0x10d8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQLServerADHelper /y #376
#383 0x111c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$PROD /y #377
#384 0x1144 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop EhttpSrv /y #1
#385 0x998 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ekrn /y #1
#386 0xad8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop NetMsmqActivator /y #381
#387 0xb00 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop msftesql$PROD /y #380
#388 0x1168 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop ESHASRV /y #1
#389 0x798 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y #1
#390 0xb7c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ekrn /y #385
#391 0x94c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop EhttpSrv /y #384
#392 0x8d8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y #1
#393 0x9fc Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop AVP /y #1
#394 0x1204 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$SOPHOS /y #389
#395 0x49c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop ESHASRV /y #388
#396 0x474 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop klnagent /y #1
#397 0xea8 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y #1
#398 0x948 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y #392
#399 0x8d4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop AVP /y #393
#400 0xb78 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y #1
#401 0x7f0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop wbengine /y #1
#402 0xbb8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop klnagent /y #396
#403 0xac4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop kavfsslp /y #1
#404 0xa98 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y #397
#405 0xfb8 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y #400
#406 0x8c4 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop KAVFSGT /y #1
#407 0x2e0 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop KAVFS /y #1
#408 0xb20 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop wbengine /y #401
#409 0x7f4 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop kavfsslp /y #403
#410 0x870 Child Process High (Elevated) net.exe "C:\Windows\System32\net.exe" stop mfefire /y #1
#411 0xe7c Child Process High (Elevated) cmd.exe "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xhcdxx.exe" /f #1
#412 0x448 Injection Medium dwm.exe "C:\Windows\system32\Dwm.exe" #1
#413 0x8f0 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop KAVFS /y #407
#414 0xe04 Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop KAVFSGT /y #406
#415 0xd2c Child Process High (Elevated) net1.exe C:\Windows\system32\net1 stop mfefire /y #410
#416 0x4a4 Injection Medium taskhost.exe "taskhost.exe" #1
#417 0xdac Child Process High (Elevated) reg.exe REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xhcdxx.exe" /f #411
#418 0x59c Injection High (Elevated) taskeng.exe taskeng.exe {CD671DAD-4B74-4170-B439-24634829D136} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1] #1
#420 0x75c Autostart Medium xhcdxx.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xhcdxx.exe" -
#421 0x278 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F #420
#422 0x430 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F #420
#423 0x234 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F #420
#424 0x69c Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F #420
#425 0x728 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F #420
#426 0x334 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM excel.exe /F #420
#428 0x768 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F #420
#429 0x7e4 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM infopath.exe /F #420
#430 0x178 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F #420
#431 0x834 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F #420
#432 0x86c Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F #420
#433 0x888 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mspub.exe /F #420
#435 0x8b4 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F #420
#436 0x8e0 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F #420
#437 0x900 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F #420
#438 0x940 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F #420
#439 0x96c Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F #420
#440 0x98c Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F #420
#441 0x9d8 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F #420
#442 0xa10 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F #420
#443 0xa70 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM onenote.exe /F #420
#444 0xa94 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM oracle.exe /F #420
#445 0xb00 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM outlook.exe /F #420
#446 0xb24 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F #420
#447 0xb68 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F #420
#448 0xb88 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F #420
#449 0xbbc Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F #420
#450 0xbd8 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F #420
#451 0x548 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F #420
#452 0x874 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM steam.exe /F #420
#453 0x7fc Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM synctime.exe /F #420
#454 0x994 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F #420
#455 0x8d4 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM thebat.exe /F #420
#456 0xc18 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F #420
#457 0xc40 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F #420
#458 0xc68 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM visio.exe /F #420
#459 0xc80 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM winword.exe /F #420
#460 0xca4 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F #420
#461 0xcb8 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F #420
#462 0xcfc Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F #420
#463 0xd18 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F #420
#464 0xd6c Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F #420
#465 0xd90 Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F #420
#466 0xddc Child Process Medium taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F #420
#467 0xe08 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y #420
#468 0xe30 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y #420
#469 0xe74 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Sophos Agent" /y #420
#470 0xe8c Child Process Medium net1.exe C:\Windows\system32\net1 stop "Enterprise Client Service" /y #468
#471 0xe94 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Acronis VSS Provider" /y #467
#472 0xea4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y #420
#473 0xecc Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y #420
#474 0xee4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y #420
#475 0xef8 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Sophos Agent" /y #469
#476 0xf08 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y #420
#477 0xf28 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Sophos Health Service" /y #420
#478 0xf30 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y #472
#479 0xf38 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Sophos Clean Service" /y #473
#480 0xf54 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y #420
#481 0xf6c Child Process Medium net1.exe C:\Windows\system32\net1 stop "Sophos Device Control Service" /y #474
#482 0xf7c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y #420
#483 0xf90 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Sophos Message Router" /y #420
#484 0xfa0 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y #476
#485 0xfa8 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Sophos MCS Agent" /y #480
#486 0xfc0 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Sophos Health Service" /y #477
#487 0xfcc Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y #420
#488 0xff8 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Sophos MCS Client" /y #482
#489 0xeb0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y #420
#490 0xe30 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Sophos Safestore Service" /y #487
#491 0xe44 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Sophos Message Router" /y #483
#492 0xe54 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y #420
#493 0xefc Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y #420
#494 0xee0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y #420
#495 0xf38 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Sophos System Protection Service" /y #489
#496 0xf34 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Sophos Web Control Service" /y #492
#497 0xfd8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y #420
#498 0xfe4 Child Process Medium net1.exe C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y #493
#499 0xfec Child Process Medium net1.exe C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y #494
#500 0x504 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y #420
#501 0x9d4 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Symantec System Recovery" /y #497
#502 0xf48 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop AcronisAgent /y #420
#503 0x8ac Child Process Medium net.exe "C:\Windows\System32\net.exe" stop AcrSch2Svc /y #420
#504 0xc30 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y #500
#505 0xa00 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop Antivirus /y #420
#506 0x860 Child Process Medium net1.exe C:\Windows\system32\net1 stop AcronisAgent /y #502
#507 0x354 Child Process Medium net1.exe C:\Windows\system32\net1 stop AcrSch2Svc /y #503
#508 0x9c8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop ARSM /y #420
#509 0x178 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y #420
#510 0xf58 Child Process Medium net1.exe C:\Windows\system32\net1 stop Antivirus /y #505
#511 0x998 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y #420
#512 0x844 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y #420
#513 0x730 Child Process Medium net1.exe C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y #509
#514 0x528 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop BackupExecJobEngine /y #420
#515 0x128 Child Process Medium net1.exe C:\Windows\system32\net1 stop ARSM /y #508
#516 0x81c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop BackupExecManagementService /y #420
#517 0x728 Child Process Medium net1.exe C:\Windows\system32\net1 stop BackupExecAgentBrowser /y #511
#518 0x69c Child Process Medium net1.exe C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y #512
#519 0x84c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop BackupExecRPCService /y #420
#520 0x97c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y #420
#521 0xf28 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop bedbg /y #420
#522 0x904 Child Process Medium net1.exe C:\Windows\system32\net1 stop BackupExecJobEngine /y #514
#523 0x8b8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop DCAgent /y #420
#524 0x87c Child Process Medium net1.exe C:\Windows\system32\net1 stop BackupExecManagementService /y #516
#525 0x780 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop EPSecurityService /y #420
#526 0x530 Child Process Medium net1.exe C:\Windows\system32\net1 stop BackupExecRPCService /y #519
#527 0x9ac Child Process Medium net1.exe C:\Windows\system32\net1 stop BackupExecVSSProvider /y #520
#528 0xff8 Child Process Medium net1.exe C:\Windows\system32\net1 stop bedbg /y #521
#529 0x1dc Child Process Medium net1.exe C:\Windows\system32\net1 stop DCAgent /y #523
#530 0x138 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop EPUpdateService /y #420
#531 0xf54 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop EraserSvc11710 /y #420
#532 0xfb0 Child Process Medium net1.exe C:\Windows\system32\net1 stop EPSecurityService /y #525
#533 0xb28 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop EsgShKernel /y #420
#534 0x738 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop FA_Scheduler /y #420
#535 0x910 Child Process Medium net1.exe C:\Windows\system32\net1 stop EraserSvc11710 /y #531
#536 0x8a0 Child Process Medium net1.exe C:\Windows\system32\net1 stop EPUpdateService /y #530
#537 0x880 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop IISAdmin /y #420
#538 0x708 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop IMAP4Svc /y #420
#539 0xe7c Child Process Medium net1.exe C:\Windows\system32\net1 stop EsgShKernel /y #533
#540 0xe08 Child Process Medium net1.exe C:\Windows\system32\net1 stop FA_Scheduler /y #534
#541 0xdf8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop macmnsvc /y #420
#542 0xfd0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop masvc /y #420
#543 0xaa8 Child Process Medium net1.exe C:\Windows\system32\net1 stop IMAP4Svc /y #538
#544 0xe74 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MBAMService /y #420
#545 0xed8 Child Process Medium net1.exe C:\Windows\system32\net1 stop IISAdmin /y #537
#546 0xd58 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MBEndpointAgent /y #420
#547 0xe60 Child Process Medium net1.exe C:\Windows\system32\net1 stop macmnsvc /y #541
#548 0x15c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop McAfeeEngineService /y #420
#549 0xd60 Child Process Medium net1.exe C:\Windows\system32\net1 stop masvc /y #542
#550 0xeac Child Process Medium net.exe "C:\Windows\System32\net.exe" stop McAfeeFramework /y #420
#551 0xf6c Child Process Medium net1.exe C:\Windows\system32\net1 stop MBAMService /y #544
#552 0xb50 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y #420
#553 0xf24 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop McShield /y #420
#554 0xae0 Child Process Medium net1.exe C:\Windows\system32\net1 stop MBEndpointAgent /y #546
#555 0xb48 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop McTaskManager /y #420
#556 0xfa4 Child Process Medium net1.exe C:\Windows\system32\net1 stop McAfeeEngineService /y #548
#557 0xd44 Child Process Medium net1.exe C:\Windows\system32\net1 stop McAfeeFramework /y #550
#558 0xfac Child Process Medium net1.exe C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y #552
#559 0x9a8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop mfemms /y #420
#560 0x9f0 Child Process Medium net1.exe C:\Windows\system32\net1 stop McShield /y #553
#561 0x874 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop mfevtp /y #420
#562 0xd94 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MMS /y #420
#563 0xeb8 Child Process Medium net1.exe C:\Windows\system32\net1 stop McTaskManager /y #555
#564 0xe84 Child Process Medium net1.exe C:\Windows\system32\net1 stop mfevtp /y #561
#565 0xf3c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop mozyprobackup /y #420
#566 0xa34 Child Process Medium net1.exe C:\Windows\system32\net1 stop mfemms /y #559
#567 0xcc4 Child Process Medium net1.exe C:\Windows\system32\net1 stop MMS /y #562
#568 0xda4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MsDtsServer /y #420
#569 0xf50 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MsDtsServer100 /y #420
#570 0x908 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MsDtsServer110 /y #420
#571 0xd70 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSExchangeES /y #420
#572 0xab0 Child Process Medium net1.exe C:\Windows\system32\net1 stop MsDtsServer100 /y #569
#573 0x8c4 Child Process Medium net1.exe C:\Windows\system32\net1 stop mozyprobackup /y #565
#574 0xb6c Child Process Medium net1.exe C:\Windows\system32\net1 stop MsDtsServer /y #568
#575 0xc04 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSExchangeIS /y #420
#576 0xa78 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSExchangeMGMT /y #420
#577 0xb34 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSExchangeES /y #571
#578 0xd9c Child Process Medium net1.exe C:\Windows\system32\net1 stop MsDtsServer110 /y #570
#579 0xbd4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSExchangeMTA /y #420
#580 0xb0c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSExchangeSA /y #420
#581 0xe14 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSExchangeIS /y #575
#582 0xb64 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSExchangeMGMT /y #576
#583 0xc1c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSExchangeSRS /y #420
#584 0xaf4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y #420
#585 0xdc4 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSExchangeSRS /y #583
#586 0xbb4 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSExchangeMTA /y #579
#587 0x8fc Child Process Medium net1.exe C:\Windows\system32\net1 stop MSExchangeSA /y #580
#588 0x808 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y #420
#589 0x9e4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSOLAP$TPS /y #420
#590 0xe04 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y #584
#591 0xe88 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y #420
#592 0xe54 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y #420
#593 0xd38 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y #588
#594 0xddc Child Process Medium net1.exe C:\Windows\system32\net1 stop MSOLAP$TPS /y #589
#595 0xc40 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y #420
#596 0xb68 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y #420
#597 0x994 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y #591
#598 0xb00 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y #592
#599 0xa84 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y #420
#600 0x98c Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y #595
#601 0xa10 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y #420
#602 0xc90 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y #420
#603 0xef8 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y #596
#604 0x360 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y #599
#605 0x9d0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y #420
#606 0x8d8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y #420
#607 0xff0 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y #601
#608 0xc5c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y #420
#609 0x8c8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$TPS /y #420
#610 0x804 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y #602
#611 0x820 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y #606
#612 0x960 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y #605
#613 0x8b0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y #420
#614 0x92c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y #420
#615 0x9cc Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y #420
#616 0x76c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y #420
#617 0x998 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y #608
#618 0x9e0 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y #614
#619 0xe2c Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$TPS /y #609
#620 0x6f0 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$TPSAMA /y #613
#621 0x278 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y #420
#622 0x7e4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y #420
#623 0x81c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y #420
#624 0xffc Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y #622
#625 0x1dc Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y #615
#626 0x350 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher /y #616
#627 0x8b8 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y #621
#628 0x870 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y #420
#629 0x84c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y #420
#630 0x534 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y #623
#631 0x828 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y #420
#632 0x348 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y #420
#633 0x458 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y #628
#634 0x234 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y #629
#635 0x8d0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQLSERVER /y #420
#636 0x510 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y #420
#637 0x138 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y #631
#638 0xbf4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y #420
#639 0xe8c Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y #632
#640 0xe08 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQLSERVER /y #635
#641 0xf90 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y #636
#642 0x964 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MySQL80 /y #420
#643 0x984 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MySQL57 /y #420
#644 0xa08 Child Process Medium net1.exe C:\Windows\system32\net1 stop MySQL80 /y #642
#645 0xc78 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop ntrtscan /y #420
#646 0xa8c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop OracleClientCache80 /y #420
#647 0x9d4 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQLServerOLAPService /y #638
#648 0xfe0 Child Process Medium net1.exe C:\Windows\system32\net1 stop MySQL57 /y #643
#649 0xff4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop PDVFSService /y #420
#650 0x8ac Child Process Medium net1.exe C:\Windows\system32\net1 stop OracleClientCache80 /y #646
#651 0xf58 Child Process Medium net1.exe C:\Windows\system32\net1 stop ntrtscan /y #645
#652 0x128 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop POP3Svc /y #420
#653 0xf04 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop ReportServer /y #420
#654 0xed4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y #420
#655 0xe60 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y #420
#656 0xec8 Child Process Medium net1.exe C:\Windows\system32\net1 stop PDVFSService /y #649
#657 0x918 Child Process Medium net1.exe C:\Windows\system32\net1 stop POP3Svc /y #652
#658 0xef4 Child Process Medium net1.exe C:\Windows\system32\net1 stop ReportServer /y #653
#659 0xb3c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop ReportServer$TPS /y #420
#660 0x73c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y #420
#661 0xbec Child Process Medium net.exe "C:\Windows\System32\net.exe" stop RESvc /y #420
#662 0xf10 Child Process Medium net1.exe C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y #654
#663 0xee4 Child Process Medium net1.exe C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y #655
#664 0xf38 Child Process Medium net1.exe C:\Windows\system32\net1 stop ReportServer$TPS /y #659
#665 0xc64 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop sacsvr /y #420
#666 0xd80 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SamSs /y #420
#667 0xfa4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SAVAdminService /y #420
#668 0xf00 Child Process Medium net1.exe C:\Windows\system32\net1 stop ReportServer$TPSAMA /y #660
#669 0xc48 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SAVService /y #420
#670 0xb50 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SDRSVC /y #420
#671 0xb90 Child Process Medium net1.exe C:\Windows\system32\net1 stop SAVAdminService /y #667
#672 0xba8 Child Process Medium net1.exe C:\Windows\system32\net1 stop RESvc /y #661
#673 0xc60 Child Process Medium net1.exe C:\Windows\system32\net1 stop sacsvr /y #665
#674 0xe70 Child Process Medium net1.exe C:\Windows\system32\net1 stop SamSs /y #666
#675 0x928 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SepMasterService /y #420
#676 0xe84 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop ShMonitor /y #420
#677 0xe40 Child Process Medium net1.exe C:\Windows\system32\net1 stop SAVService /y #669
#678 0x874 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop Smcinst /y #420
#679 0xe1c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SmcService /y #420
#680 0xa24 Child Process Medium net1.exe C:\Windows\system32\net1 stop SDRSVC /y #670
#681 0x9a8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SMTPSvc /y #420
#682 0xdb8 Child Process Medium net1.exe C:\Windows\system32\net1 stop ShMonitor /y #676
#683 0xda4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SNAC /y #420
#684 0x970 Child Process Medium net1.exe C:\Windows\system32\net1 stop SepMasterService /y #675
#685 0xd28 Child Process Medium net1.exe C:\Windows\system32\net1 stop Smcinst /y #678
#686 0xf50 Child Process Medium net1.exe C:\Windows\system32\net1 stop SMTPSvc /y #681
#687 0xdb4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SntpService /y #420
#688 0xd9c Child Process Medium net1.exe C:\Windows\system32\net1 stop SmcService /y #679
#689 0xbc8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop sophossps /y #420
#690 0xb34 Child Process Medium net1.exe C:\Windows\system32\net1 stop SNAC /y #683
#691 0xd70 Child Process Medium net1.exe C:\Windows\system32\net1 stop SntpService /y #687
#692 0xd0c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y #420
#693 0xcc8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y #420
#694 0xba0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y #420
#695 0xc3c Child Process Medium net1.exe C:\Windows\system32\net1 stop sophossps /y #689
#696 0xb04 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y #420
#697 0xc38 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y #692
#698 0xdc4 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y #693
#699 0xcf0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y #420
#700 0xb08 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y #420
#701 0xd68 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y #696
#702 0xdd4 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y #694
#703 0xaf4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y #420
#704 0xde0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y #420
#705 0xedc Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y #699
#706 0xd38 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y #700
#707 0xd64 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y #420
#708 0x848 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$TPS /y #420
#709 0xd6c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y #420
#710 0xcd4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y #420
#711 0x9fc Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y #707
#712 0xac4 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y #703
#713 0xa54 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y #704
#714 0x938 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y #420
#715 0x618 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLBrowser /y #420
#716 0xbbc Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$TPS /y #708
#717 0x548 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLSafeOLRService /y #420
#718 0xbe4 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y #709
#719 0xca4 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y #710
#720 0xf08 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y #420
#721 0xfc0 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y #714
#722 0xfe8 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLBrowser /y #715
#723 0x878 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLTELEMETRY /y #420
#724 0xc28 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y #420
#725 0x90c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLWriter /y #420
#726 0xf98 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLSERVERAGENT /y #720
#727 0x784 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLSafeOLRService /y #717
#728 0x6f4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SstpSvc /y #420
#729 0x9e0 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLTELEMETRY /y #723
#730 0x940 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop svcGenericHost /y #420
#731 0x8c8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop swi_filter /y #420
#732 0x764 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop swi_service /y #420
#733 0x8f4 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y #724
#734 0x440 Child Process Medium net1.exe C:\Windows\system32\net1 stop svcGenericHost /y #730
#735 0x278 Child Process Medium net1.exe C:\Windows\system32\net1 stop SstpSvc /y #728
#736 0xffc Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLWriter /y #725
#737 0x350 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop swi_update_64 /y #420
#738 0x8cc Child Process Medium net.exe "C:\Windows\System32\net.exe" stop TmCCSF /y #420
#739 0xff8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop tmlisten /y #420
#740 0xf64 Child Process Medium net1.exe C:\Windows\system32\net1 stop swi_filter /y #731
#741 0x8b4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop TrueKey /y #420
#742 0x234 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop TrueKeyScheduler /y #420
#743 0x530 Child Process Medium net1.exe C:\Windows\system32\net1 stop swi_service /y #732
#744 0xf40 Child Process Medium net1.exe C:\Windows\system32\net1 stop swi_update_64 /y #737
#745 0x86c Child Process Medium net1.exe C:\Windows\system32\net1 stop TmCCSF /y #738
#746 0xe18 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y #420
#747 0x7d8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop UI0Detect /y #420
#748 0xfbc Child Process Medium net1.exe C:\Windows\system32\net1 stop tmlisten /y #739
#749 0xf20 Child Process Medium net1.exe C:\Windows\system32\net1 stop TrueKeyScheduler /y #742
#750 0x8a0 Child Process Medium net1.exe C:\Windows\system32\net1 stop TrueKey /y #741
#751 0x510 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop VeeamBackupSvc /y #420
#752 0xbf0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y #420
#753 0x348 Child Process Medium net1.exe C:\Windows\system32\net1 stop UI0Detect /y #747
#754 0xde4 Child Process Medium net1.exe C:\Windows\system32\net1 stop TrueKeyServiceHelper /y #746
#755 0xa08 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y #420
#756 0x964 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop VeeamCloudSvc /y #420
#757 0x9d4 Child Process Medium net1.exe C:\Windows\system32\net1 stop VeeamBackupSvc /y #751
#758 0xbe8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop VeeamDeploymentService /y #420
#759 0xc58 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop VeeamDeploySvc /y #420
#760 0x8ac Child Process Medium net1.exe C:\Windows\system32\net1 stop VeeamCloudSvc /y #756
#761 0xed0 Child Process Medium net1.exe C:\Windows\system32\net1 stop VeeamBrokerSvc /y #752
#762 0x850 Child Process Medium net1.exe C:\Windows\system32\net1 stop VeeamCatalogSvc /y #755
#763 0xa8c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y #420
#764 0xb7c Child Process Medium net1.exe C:\Windows\system32\net1 stop VeeamDeploySvc /y #759
#765 0xb60 Child Process Medium net1.exe C:\Windows\system32\net1 stop VeeamDeploymentService /y #758
#766 0xd3c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop VeeamMountSvc /y #420
#767 0xef4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop VeeamNFSSvc /y #420
#768 0xff4 Child Process Medium net1.exe C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y #763
#769 0xcac Child Process Medium net.exe "C:\Windows\System32\net.exe" stop VeeamRESTSvc /y #420
#770 0xaa8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop VeeamTransportSvc /y #420
#771 0xc40 Child Process Medium net1.exe C:\Windows\system32\net1 stop VeeamNFSSvc /y #767
#772 0xbd8 Child Process Medium net1.exe C:\Windows\system32\net1 stop VeeamMountSvc /y #766
#773 0xff0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop W3Svc /y #420
#774 0x804 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop wbengine /y #420
#775 0x338 Child Process Medium net1.exe C:\Windows\system32\net1 stop VeeamTransportSvc /y #770
#776 0xc5c Child Process Medium net1.exe C:\Windows\system32\net1 stop VeeamRESTSvc /y #769
#777 0x6f0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop WRSVC /y #420
#778 0xb20 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y #420
#779 0xf94 Child Process Medium net1.exe C:\Windows\system32\net1 stop W3Svc /y #773
#780 0xf10 Child Process Medium net1.exe C:\Windows\system32\net1 stop wbengine /y #774
#781 0xd14 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y #420
#782 0xfd4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y #420
#783 0xd98 Child Process Medium net1.exe C:\Windows\system32\net1 stop WRSVC /y #777
#784 0xea4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop swi_update /y #420
#785 0xd7c Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y #778
#786 0xdf0 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y #781
#787 0x7ac Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y #420
#788 0x7a8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y #420
#789 0xe58 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "SQL Backups" /y #420
#790 0xf84 Child Process Medium net1.exe C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y #782
#791 0xc4c Child Process Medium net1.exe C:\Windows\system32\net1 stop swi_update /y #784
#792 0x7e8 Child Process Medium net1.exe C:\Windows\system32\net1 stop "SQL Backups" /y #789
#793 0xbec Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y #788
#794 0xfa4 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$CXDB /y #787
#795 0xbac Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$PROD /y #420
#796 0xa34 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y #420
#797 0xdc0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y #420
#798 0xa24 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$PROD /y #795
#799 0xb50 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$PROD /y #420
#800 0xdb8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop msftesql$PROD /y #420
#801 0x8c4 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQLServerADHelper /y #797
#802 0xce4 Child Process Medium net1.exe C:\Windows\system32\net1 stop "Zoolz 2 Service" /y #796
#803 0xebc Child Process Medium net.exe "C:\Windows\System32\net.exe" stop NetMsmqActivator /y #420
#804 0xbc0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop EhttpSrv /y #420
#805 0x8d4 Child Process Medium net1.exe C:\Windows\system32\net1 stop msftesql$PROD /y #800
#806 0xd9c Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$PROD /y #799
#807 0x874 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop ekrn /y #420
#808 0xeec Child Process Medium net.exe "C:\Windows\System32\net.exe" stop ESHASRV /y #420
#809 0x7f8 Child Process Medium net1.exe C:\Windows\system32\net1 stop EhttpSrv /y #804
#810 0x520 Child Process Medium net1.exe C:\Windows\system32\net1 stop NetMsmqActivator /y #803
#811 0xd70 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y #420
#812 0xcf4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y #420
#813 0xc04 Child Process Medium net1.exe C:\Windows\system32\net1 stop ESHASRV /y #808
#814 0xc74 Child Process Medium net1.exe C:\Windows\system32\net1 stop ekrn /y #807
#815 0xae8 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop AVP /y #420
#816 0xc6c Child Process Medium net.exe "C:\Windows\System32\net.exe" stop klnagent /y #420
#817 0xcc8 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$SOPHOS /y #811
#818 0xab4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y #420
#819 0xa98 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y #812
#820 0xb04 Child Process Medium net1.exe C:\Windows\system32\net1 stop AVP /y #815
#821 0xd78 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y #420
#822 0xaa4 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop wbengine /y #420
#823 0xaf0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop kavfsslp /y #420
#824 0xc54 Child Process Medium net1.exe C:\Windows\system32\net1 stop klnagent /y #816
#825 0xb08 Child Process Medium net1.exe C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y #818
#826 0xcf0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop KAVFSGT /y #420
#827 0xc80 Child Process Medium net1.exe C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y #821
#828 0xac8 Child Process Medium net1.exe C:\Windows\system32\net1 stop wbengine /y #822
#829 0xa54 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop KAVFS /y #420
#830 0xde0 Child Process Medium net.exe "C:\Windows\System32\net.exe" stop mfefire /y #420
#831 0xe20 Child Process Medium cmd.exe "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xhcdxx.exe" /f #420
#832 0x380 Injection Medium dwm.exe "C:\Windows\system32\Dwm.exe" #420
#833 0xe9c Child Process Medium net1.exe C:\Windows\system32\net1 stop kavfsslp /y #823
#834 0xec4 Child Process Medium net1.exe C:\Windows\system32\net1 stop KAVFSGT /y #826
#835 0x848 Child Process Medium net1.exe C:\Windows\system32\net1 stop KAVFS /y #829
#836 0xdd8 Child Process Medium net1.exe C:\Windows\system32\net1 stop mfefire /y #830
#837 0x4a0 Injection Medium taskhost.exe "taskhost.exe" #420
#838 0xa28 Child Process Medium reg.exe REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xhcdxx.exe" /f #831

Behavior Information - Grouped by Category

Process #1: xhcdxx.exe
523 0
»
Information Value
ID #1
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xhcdxx.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:04, Reason: Analysis Target
Unmonitor End Time: 00:02:33, Reason: Self Terminated
Monitor Duration 00:01:29
OS Process Information
»
Information Value
PID 0xb0
Parent PID 0x458 (c:\windows\system32\net1.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 188
0x 6DC
0x 7E8
0x 2D0
0x 248
0x 7F0
0x 7FC
0x 344
0x 478
0x 330
0x 808
0x 81C
0x 834
0x 850
0x 870
0x 888
0x 8B0
0x 8C8
0x 924
0x 968
0x A60
0x A74
0x AA4
0x AC0
0x B34
0x B4C
0x B9C
0x BB8
0x BF0
0x 824
0x 968
0x A74
0x B34
0x C10
0x C54
0x C6C
0x CC4
0x CE8
0x D48
0x D70
0x DBC
0x DE4
0x E34
0x E4C
0x E98
0x EB4
0x EE4
0x EF8
0x F1C
0x F84
0x F94
0x FBC
0x FF8
0x C84
0x E40
0x EE4
0x FBC
0x EE4
0x 1018
0x 103C
0x 1050
0x 1088
0x 10B0
0x 10DC
0x 10FC
0x 1130
0x 115C
0x 1184
0x 1198
0x 1280
0x 1298
0x 12D0
0x 12F4
0x 1308
0x 1330
0x 1344
0x 1358
0x 139C
0x 13BC
0x 13F4
0x 103C
0x FF4
0x C60
0x FEC
0x 1090
0x C10
0x F84
0x E98
0x 10C4
0x 1040
0x 1170
0x 1138
0x A3C
0x 10F8
0x 11C4
0x 11D0
0x 864
0x 11E8
0x 9B0
0x 1200
0x 9AC
0x 10D4
0x A70
0x 414
0x B38
0x C2C
0x A8C
0x 8D8
0x 8B4
0x 930
0x 8CC
0x AD0
0x 898
0x C14
0x ACC
0x BFC
0x 578
0x 308
0x 8B8
0x 10A8
0x 12E0
0x 1158
0x 12A8
0x 12FC
0x 129C
0x 1320
0x 137C
0x C3C
0x 13C8
0x 1300
0x 12EC
0x 13C0
0x 13A4
0x 1394
0x 13B4
0x 13EC
0x 1094
0x E98
0x 100C
0x CC4
0x DBC
0x F80
0x 1054
0x FC8
0x 102C
0x FE4
0x 108C
0x A3C
0x 107C
0x 11C0
0x 1114
0x 1184
0x 11E4
0x 11CC
0x B84
0x 9BC
0x AF0
0x 8D4
0x 830
0x ABC
0x AC4
0x 8CC
0x DEC
0x E88
0x 64
0x D2C
0x B28
0x D5C
0x F48
0x FD4
0x EB8
0x 5C4
0x 8E4
0x E50
0x C94
0x 804
0x CB0
0x C50
0x F70
0x A68
0x F60
0x 940
0x A60
0x EA4
0x D84
0x 10F4
0x A38
0x E28
0x B94
0x 330
0x 12E0
0x 7C4
0x BA8
0x 1104
0x 1128
0x BA4
0x 1294
0x 126C
0x 1338
0x 12C0
0x 83C
0x 1324
0x 132C
0x 12DC
0x 12CC
0x E40
0x 13D0
0x DBC
0x F94
0x 13D8
0x 1138
0x FF0
0x 10D0
0x B70
0x A4C
0x 11CC
0x 98C
0x 10F8
0x 106C
0x 9A0
0x 99C
0x 11D0
0x A2C
0x B58
0x BD8
0x BE4
0x 10C8
0x A88
0x ABC
0x 10C0
0x 5F0
0x 8CC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d0fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f0fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x000fffff Private Memory rw True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f9fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000100000 0x00100000 0x00101fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
oleaccrc.dll 0x00120000 0x00120fff Memory Mapped File r False False False -
pagefile_0x0000000000120000 0x00120000 0x00129fff Pagefile Backed Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
pagefile_0x00000000002b0000 0x002b0000 0x0038efff Pagefile Backed Memory r True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
private_0x0000000000490000 0x00490000 0x0058ffff Private Memory rw True False False -
pagefile_0x0000000000590000 0x00590000 0x00591fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005a0000 0x005a0000 0x005a6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005b0000 0x005b0000 0x005b1fff Pagefile Backed Memory rw True False False -
cversions.2.db 0x005c0000 0x005c3fff Memory Mapped File r True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db 0x005d0000 0x005eefff Memory Mapped File r True False False -
pagefile_0x00000000005f0000 0x005f0000 0x005f0fff Pagefile Backed Memory rw True False False -
cversions.2.db 0x00600000 0x00603fff Memory Mapped File r True False False -
private_0x0000000000610000 0x00610000 0x0061ffff Private Memory rw True False False -
pagefile_0x0000000000620000 0x00620000 0x007a7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007b0000 0x007b0000 0x00930fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000940000 0x00940000 0x01d3ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01d40000 0x0200efff Memory Mapped File r False False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db 0x02010000 0x0203ffff Memory Mapped File r True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x02040000 0x020a5fff Memory Mapped File r True False False -
pagefile_0x00000000020b0000 0x020b0000 0x020b0fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000020c0000 0x020c0000 0x020c0fff Pagefile Backed Memory rw True False False -
cversions.2.db 0x020d0000 0x020d3fff Memory Mapped File r True False False -
private_0x00000000020e0000 0x020e0000 0x021dffff Private Memory rw True False False -
private_0x00000000021f0000 0x021f0000 0x022effff Private Memory rw True False False -
private_0x0000000002320000 0x02320000 0x0241ffff Private Memory rw True False False -
pagefile_0x0000000002420000 0x02420000 0x02812fff Pagefile Backed Memory r True False False -
private_0x0000000002890000 0x02890000 0x0298ffff Private Memory rw True False False -
private_0x0000000002990000 0x02990000 0x02a8ffff Private Memory rw True False False -
private_0x0000000002b00000 0x02b00000 0x02bfffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
psapi.dll 0x77830000 0x77836fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
xhcdxx.exe 0x13f3b0000 0x13f3e5fff Memory Mapped File rwx True True False
...
oleacc.dll 0x7fef5230000 0x7fef5283fff Memory Mapped File rwx False False False -
ieframe.dll 0x7fef5290000 0x7fef5e46fff Memory Mapped File rwx False False False -
api-ms-win-core-synch-l1-2-0.dll 0x7fef8ef0000 0x7fef8ef2fff Memory Mapped File rwx False False False -
apphelp.dll 0x7fefa4d0000 0x7fefa526fff Memory Mapped File rwx False False False -
ntmarta.dll 0x7fefb520000 0x7fefb54cfff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fefbf10000 0x7fefbf65fff Memory Mapped File rwx False False False -
propsys.dll 0x7fefbf70000 0x7fefc09bfff Memory Mapped File rwx False False False -
comctl32.dll 0x7fefc0f0000 0x7fefc2e3fff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
profapi.dll 0x7fefd5c0000 0x7fefd5cefff Memory Mapped File rwx False False False -
msasn1.dll 0x7fefd660000 0x7fefd66efff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fefd670000 0x7fefd6a5fff Memory Mapped File rwx False False False -
crypt32.dll 0x7fefd750000 0x7fefd8b6fff Memory Mapped File rwx False False False -
devobj.dll 0x7fefd900000 0x7fefd919fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
urlmon.dll 0x7fefd990000 0x7fefdb07fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
wldap32.dll 0x7fefe1b0000 0x7fefe201fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
shell32.dll 0x7fefe360000 0x7feff0e7fff Memory Mapped File rwx False False False -
setupapi.dll 0x7feff0f0000 0x7feff2c6fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
wininet.dll 0x7feff360000 0x7feff489fff Memory Mapped File rwx False False False -
iertutil.dll 0x7feff4e0000 0x7feff738fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (5)
»
Operation Filename Additional Information Success Count Logfile
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Delete - - False 1
Fn
Process (326)
»
Operation Process Additional Information Success Count Logfile
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 2
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 2
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 2
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create C:\Windows\System32\cmd.exe show_window = SW_HIDE True 1
Fn
Open System desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskeng.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\reference assemblies\gridfriendlyfocal.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows defender\protection-therapeutic-drawing.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\mozilla firefox\never-isolation.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\microsoft sql server compact edition\default.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\java\semiconductor_fi.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\reference assemblies\whatever modern visibility.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\common files\waiver.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows mail\tutorial.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\common files\specifics_diff.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\internet explorer\commitmentusagechance.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\internet explorer\ham.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows sidebar\emails.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windows defender\signal.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windows defender\stupid executives.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\microsoft synchronization services\tax pending.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\sc.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\sdclt.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windows sidebar\pat-southern-proceeding.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\wbem\wmiprvse.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\sppsvc.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net1.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\taskkill.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskkill.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\cmd.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskeng.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\reference assemblies\gridfriendlyfocal.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows defender\protection-therapeutic-drawing.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\mozilla firefox\never-isolation.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\microsoft sql server compact edition\default.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\java\semiconductor_fi.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\reference assemblies\whatever modern visibility.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\common files\waiver.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows mail\tutorial.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\common files\specifics_diff.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\internet explorer\commitmentusagechance.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\internet explorer\ham.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\windows sidebar\emails.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windows defender\signal.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windows defender\stupid executives.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files\microsoft synchronization services\tax pending.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\sc.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\sdclt.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\program files (x86)\windows sidebar\pat-southern-proceeding.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskkill.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\taskkill.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\cmd.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Thread (3)
»
Operation Process Additional Information Success Count Logfile
Create c:\windows\system32\dwm.exe proc_address = 0x13f3b1a30, proc_parameter = 5355798528, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create c:\windows\system32\taskhost.exe proc_address = 0x13f3b1a30, proc_parameter = 5355798528, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create c:\windows\system32\taskeng.exe proc_address = 0x13f3b1a30, proc_parameter = 5355798528, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Memory (25)
»
Operation Process Additional Information Success Count Logfile
Allocate c:\windows\system32\dwm.exe address = 0x13f3b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 True 1
Fn
Allocate c:\windows\system32\taskhost.exe address = 0x13f3b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 True 1
Fn
Allocate c:\windows\system32\taskeng.exe address = 0x13f3b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 True 1
Fn
Allocate c:\program files\reference assemblies\gridfriendlyfocal.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files\windows defender\protection-therapeutic-drawing.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files (x86)\mozilla firefox\never-isolation.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files\microsoft sql server compact edition\default.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files (x86)\java\semiconductor_fi.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files (x86)\reference assemblies\whatever modern visibility.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files\common files\waiver.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files\windows mail\tutorial.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files (x86)\common files\specifics_diff.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files (x86)\internet explorer\commitmentusagechance.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files\internet explorer\ham.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files\windows sidebar\emails.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files (x86)\windows defender\signal.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\windows\system32\taskhost.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files (x86)\windows defender\stupid executives.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files\microsoft synchronization services\tax pending.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\windows\system32\sc.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\windows\system32\sdclt.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Allocate c:\program files (x86)\windows sidebar\pat-southern-proceeding.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Write c:\windows\system32\dwm.exe address = 0x13f3b0000, size = 221184 True 1
Fn
Data
Write c:\windows\system32\taskhost.exe address = 0x13f3b0000, size = 221184 True 1
Fn
Data
Write c:\windows\system32\taskeng.exe address = 0x13f3b0000, size = 221184 True 1
Fn
Data
Module (62)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 2
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x7fef8ef0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 4
Fn
Load kernel32 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x77550000 True 2
Fn
Load advapi32 base_address = 0x0 False 1
Fn
Load advapi32 base_address = 0x7feff740000 True 1
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 2
Fn
Load kernel32.dll base_address = 0x77550000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x0 False 2
Fn
Load ext-ms-win-kernel32-package-current-l1-1-0 base_address = 0x0 False 2
Fn
Get Handle c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe base_address = 0x13f3b0000 True 24
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xhcdxx.exe, size = 260 True 3
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xhcdxx.exe, size = 320 True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xhcdxx.exe, size = 100 True 1
Fn
Get Address c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll function = InitializeCriticalSectionEx, address_out = 0x0 False 2
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsAlloc, address_out = 0x77567190 True 2
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsSetValue, address_out = 0x7756bd90 True 2
Fn
Get Address c:\windows\system32\advapi32.dll function = EventRegister, address_out = 0x776acac0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = EventSetInformation, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsGetValue, address_out = 0x77573520 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LCMapStringEx, address_out = 0x7759b710 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsWow64Process, address_out = 0x775591d0 True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
System (40)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 2
Fn
Sleep duration = 300 milliseconds (0.300 seconds) True 34
Fn
Get Time type = System Time, time = 2018-11-27 19:39:55 (UTC) True 1
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 2
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #2: taskkill.exe
0 0
»
Information Value
ID #2
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:16, Reason: Child Process
Unmonitor End Time: 00:01:39, Reason: Self Terminated
Monitor Duration 00:00:23
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf0
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 170
0x 8D8
0x 918
0x 98C
0x 990
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0041ffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0056ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4450000 0x7fef4574fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #3: taskkill.exe
0 0
»
Information Value
ID #3
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:17, Reason: Child Process
Unmonitor End Time: 00:01:39, Reason: Self Terminated
Monitor Duration 00:00:22
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x3c8
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 4E0
0x 8E4
0x 930
0x 9A8
0x 9AC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x001fffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4450000 0x7fef4574fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #4: taskkill.exe
0 0
»
Information Value
ID #4
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:17, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:21
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x578
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 61C
0x 8CC
0x 90C
0x 974
0x 978
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0005ffff Private Memory rw True False False -
pagefile_0x0000000000060000 0x00060000 0x00066fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000070000 0x00070000 0x00071fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00080000 0x00083fff Memory Mapped File rw False False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x001a0fff Private Memory rw True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c0fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
locale.nls 0x00250000 0x002b6fff Memory Mapped File r False False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
pagefile_0x00000000003c0000 0x003c0000 0x00547fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000550000 0x00550000 0x006d0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006e0000 0x006e0000 0x01adffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01ae0000 0x01b9ffff Memory Mapped File rw False False False -
private_0x0000000001c30000 0x01c30000 0x01caffff Private Memory rw True False False -
private_0x0000000001d10000 0x01d10000 0x01d8ffff Private Memory rw True False False -
private_0x0000000001db0000 0x01db0000 0x01e2ffff Private Memory rw True False False -
sortdefault.nls 0x01e30000 0x020fefff Memory Mapped File r False False False -
private_0x0000000002100000 0x02100000 0x0217ffff Private Memory rw True False False -
private_0x00000000021c0000 0x021c0000 0x0223ffff Private Memory rw True False False -
private_0x00000000023b0000 0x023b0000 0x0242ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4450000 0x7fef4574fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #5: taskkill.exe
0 0
»
Information Value
ID #5
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:17, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:21
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x308
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 7E0
0x 8D4
0x 914
0x 984
0x 988
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
pagefile_0x0000000000140000 0x00140000 0x00146fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x0015ffff Private Memory rw True False False -
pagefile_0x0000000000160000 0x00160000 0x00161fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00170000 0x00173fff Memory Mapped File rw False False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory rw True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
pagefile_0x0000000000400000 0x00400000 0x00587fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000590000 0x00590000 0x00710fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000720000 0x00720000 0x01b1ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b20000 0x01bdffff Memory Mapped File rw False False False -
private_0x0000000001cf0000 0x01cf0000 0x01d6ffff Private Memory rw True False False -
private_0x0000000001e30000 0x01e30000 0x01eaffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4450000 0x7fef4574fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #6: taskkill.exe
0 0
»
Information Value
ID #6
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:17, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:21
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7f0
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 7FC
0x 8D0
0x 910
0x 97C
0x 980
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00070000 0x00073fff Memory Mapped File rw False False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory rw True False False -
pagefile_0x0000000000470000 0x00470000 0x005f7fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000600000 0x00600000 0x00780fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000790000 0x00790000 0x01b8ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b90000 0x01c4ffff Memory Mapped File rw False False False -
private_0x0000000001c90000 0x01c90000 0x01d0ffff Private Memory rw True False False -
private_0x0000000001d20000 0x01d20000 0x01d9ffff Private Memory rw True False False -
private_0x0000000001f00000 0x01f00000 0x01f7ffff Private Memory rw True False False -
private_0x0000000001fb0000 0x01fb0000 0x0202ffff Private Memory rw True False False -
private_0x0000000002080000 0x02080000 0x020fffff Private Memory rw True False False -
private_0x0000000002160000 0x02160000 0x021dffff Private Memory rw True False False -
sortdefault.nls 0x021e0000 0x024aefff Memory Mapped File r False False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4450000 0x7fef4574fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #7: taskkill.exe
0 0
»
Information Value
ID #7
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM excel.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:18, Reason: Child Process
Unmonitor End Time: 00:01:39, Reason: Self Terminated
Monitor Duration 00:00:21
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7f4
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 804
0x 8E0
0x 92C
0x 99C
0x 9A0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x00000000001a0000 0x001a0000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
pagefile_0x0000000000460000 0x00460000 0x005e7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005f0000 0x005f0000 0x00770fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000780000 0x00780000 0x01b7ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b80000 0x01c3ffff Memory Mapped File rw False False False -
private_0x0000000001c60000 0x01c60000 0x01cdffff Private Memory rw True False False -
private_0x0000000001d30000 0x01d30000 0x01daffff Private Memory rw True False False -
private_0x0000000001e70000 0x01e70000 0x01eeffff Private Memory rw True False False -
sortdefault.nls 0x01ef0000 0x021befff Memory Mapped File r False False False -
private_0x0000000002210000 0x02210000 0x0228ffff Private Memory rw True False False -
private_0x0000000002380000 0x02380000 0x023fffff Private Memory rw True False False -
private_0x0000000002420000 0x02420000 0x0249ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4450000 0x7fef4574fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #8: taskkill.exe
0 0
»
Information Value
ID #8
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:18, Reason: Child Process
Unmonitor End Time: 00:01:39, Reason: Self Terminated
Monitor Duration 00:00:21
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x814
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 818
0x 8DC
0x 928
0x 994
0x 998
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
kernelbase.dll.mui 0x00400000 0x004bffff Memory Mapped File rw False False False -
private_0x00000000004e0000 0x004e0000 0x004effff Private Memory rw True False False -
pagefile_0x00000000004f0000 0x004f0000 0x00677fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000680000 0x00680000 0x00800fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000810000 0x00810000 0x01c0ffff Pagefile Backed Memory r True False False -
private_0x0000000001c90000 0x01c90000 0x01d0ffff Private Memory rw True False False -
private_0x0000000001d70000 0x01d70000 0x01deffff Private Memory rw True False False -
private_0x0000000001e00000 0x01e00000 0x01e7ffff Private Memory rw True False False -
private_0x0000000001e80000 0x01e80000 0x01efffff Private Memory rw True False False -
sortdefault.nls 0x01f00000 0x021cefff Memory Mapped File r False False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4450000 0x7fef4574fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #9: taskkill.exe
0 0
»
Information Value
ID #9
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:18, Reason: Child Process
Unmonitor End Time: 00:01:39, Reason: Self Terminated
Monitor Duration 00:00:21
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x82c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 830
0x 8B4
0x 908
0x 94C
0x 950
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory rw True False False -
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
pagefile_0x0000000000480000 0x00480000 0x00607fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000610000 0x00610000 0x00790fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007a0000 0x007a0000 0x01b9ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01ba0000 0x01c5ffff Memory Mapped File rw False False False -
private_0x0000000001cc0000 0x01cc0000 0x01d3ffff Private Memory rw True False False -
private_0x0000000001d80000 0x01d80000 0x01dfffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4450000 0x7fef4574fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #10: taskkill.exe
0 0
»
Information Value
ID #10
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:18, Reason: Child Process
Unmonitor End Time: 00:01:39, Reason: Self Terminated
Monitor Duration 00:00:21
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x848
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 84C
0x 8EC
0x 940
0x 9B8
0x 9BC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
pagefile_0x00000000004b0000 0x004b0000 0x00637fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000640000 0x00640000 0x007c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007d0000 0x007d0000 0x01bcffff Pagefile Backed Memory r True False False -
private_0x0000000001c80000 0x01c80000 0x01cfffff Private Memory rw True False False -
kernelbase.dll.mui 0x01d00000 0x01dbffff Memory Mapped File rw False False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4450000 0x7fef4574fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #11: taskkill.exe
0 0
»
Information Value
ID #11
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:18, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x868
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 86C
0x 8F0
0x 904
0x 944
0x 948
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
taskkill.exe.mui 0x00160000 0x00163fff Memory Mapped File rw False False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory r True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0031ffff Private Memory rw True False False -
pagefile_0x0000000000320000 0x00320000 0x00320fff Pagefile Backed Memory r True False False -
private_0x0000000000350000 0x00350000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
pagefile_0x0000000000460000 0x00460000 0x005e7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005f0000 0x005f0000 0x00770fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000780000 0x00780000 0x01b7ffff Pagefile Backed Memory r True False False -
private_0x0000000001bc0000 0x01bc0000 0x01c3ffff Private Memory rw True False False -
kernelbase.dll.mui 0x01c40000 0x01cfffff Memory Mapped File rw False False False -
private_0x0000000001de0000 0x01de0000 0x01e5ffff Private Memory rw True False False -
sortdefault.nls 0x01e60000 0x0212efff Memory Mapped File r False False False -
private_0x0000000002160000 0x02160000 0x021dffff Private Memory rw True False False -
private_0x00000000022b0000 0x022b0000 0x0232ffff Private Memory rw True False False -
private_0x0000000002360000 0x02360000 0x023dffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4450000 0x7fef4574fff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7fef7020000 0x7fef7033fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
fastprox.dll 0x7fef7360000 0x7fef7441fff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #12: taskkill.exe
0 0
»
Information Value
ID #12
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:18, Reason: Child Process
Unmonitor End Time: 00:01:39, Reason: Self Terminated
Monitor Duration 00:00:21
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x880
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 884
0x 8E8
0x 934
0x 9B0
0x 9B4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
pagefile_0x0000000000140000 0x00140000 0x00146fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00160000 0x00163fff Memory Mapped File rw False False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
pagefile_0x00000000004a0000 0x004a0000 0x00627fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000630000 0x00630000 0x007b0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007c0000 0x007c0000 0x01bbffff Pagefile Backed Memory r True False False -
private_0x0000000001bc0000 0x01bc0000 0x01c3ffff Private Memory rw True False False -
private_0x0000000001c60000 0x01c60000 0x01cdffff Private Memory rw True False False -
kernelbase.dll.mui 0x01ce0000 0x01d9ffff Memory Mapped File rw False False False -
private_0x0000000001e50000 0x01e50000 0x01ecffff Private Memory rw True False False -
private_0x0000000001f10000 0x01f10000 0x01f8ffff Private Memory rw True False False -
private_0x0000000001fe0000 0x01fe0000 0x0205ffff Private Memory rw True False False -
sortdefault.nls 0x02060000 0x0232efff Memory Mapped File r False False False -
private_0x0000000002340000 0x02340000 0x023bffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4450000 0x7fef4574fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #13: taskkill.exe
0 0
»
Information Value
ID #13
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:19, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:19
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8a8
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8AC
0x A54
0x AAC
0x AE0
0x AE4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
pagefile_0x0000000000140000 0x00140000 0x00146fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00160000 0x00163fff Memory Mapped File rw False False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x00370fff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x00380fff Private Memory rw True False False -
pagefile_0x0000000000390000 0x00390000 0x00390fff Pagefile Backed Memory r True False False -
pagefile_0x00000000003a0000 0x003a0000 0x003a0fff Pagefile Backed Memory r True False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory rw True False False -
pagefile_0x00000000003d0000 0x003d0000 0x00557fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000560000 0x00560000 0x006e0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006f0000 0x006f0000 0x01aeffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01af0000 0x01baffff Memory Mapped File rw False False False -
private_0x0000000001bf0000 0x01bf0000 0x01c6ffff Private Memory rw True False False -
private_0x0000000001ce0000 0x01ce0000 0x01d5ffff Private Memory rw True False False -
private_0x0000000001d60000 0x01d60000 0x01ddffff Private Memory rw True False False -
private_0x0000000001e60000 0x01e60000 0x01edffff Private Memory rw True False False -
private_0x0000000001fd0000 0x01fd0000 0x0204ffff Private Memory rw True False False -
sortdefault.nls 0x02050000 0x0231efff Memory Mapped File r False False False -
private_0x00000000023d0000 0x023d0000 0x0244ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4450000 0x7fef4574fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #14: taskkill.exe
0 0
»
Information Value
ID #14
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:19, Reason: Child Process
Unmonitor End Time: 00:01:39, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8c0
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8C4
0x 9F8
0x A8C
0x AD8
0x ADC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0045ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4450000 0x7fef4574fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #15: taskkill.exe
0 0
»
Information Value
ID #15
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:21, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:17
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x91c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 920
0x AC4
0x AEC
0x B08
0x B0C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
kernelbase.dll.mui 0x001d0000 0x0028ffff Memory Mapped File rw False False False -
private_0x00000000002a0000 0x002a0000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x0032ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0056ffff Private Memory rw True False False -
pagefile_0x0000000000570000 0x00570000 0x006f7fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000700000 0x00700000 0x00880fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000890000 0x00890000 0x01c8ffff Pagefile Backed Memory r True False False -
private_0x0000000001d00000 0x01d00000 0x01d7ffff Private Memory rw True False False -
private_0x0000000001da0000 0x01da0000 0x01e1ffff Private Memory rw True False False -
private_0x0000000001e50000 0x01e50000 0x01ecffff Private Memory rw True False False -
private_0x0000000001ef0000 0x01ef0000 0x01f6ffff Private Memory rw True False False -
private_0x00000000020c0000 0x020c0000 0x0213ffff Private Memory rw True False False -
sortdefault.nls 0x02140000 0x0240efff Memory Mapped File r False False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4450000 0x7fef4574fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #16: taskkill.exe
0 0
»
Information Value
ID #16
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:16
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x960
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 964
0x AC8
0x AF0
0x B00
0x B04
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000f0000 0x000f3fff Memory Mapped File rw False False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x00380fff Private Memory rw True False False -
kernelbase.dll.mui 0x00390000 0x0044ffff Memory Mapped File rw False False False -
private_0x0000000000450000 0x00450000 0x0045ffff Private Memory rw True False False -
pagefile_0x0000000000460000 0x00460000 0x005e7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005f0000 0x005f0000 0x00770fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000780000 0x00780000 0x01b7ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001b80000 0x01b80000 0x01b80fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001b90000 0x01b90000 0x01b90fff Pagefile Backed Memory r True False False -
private_0x0000000001c10000 0x01c10000 0x01c8ffff Private Memory rw True False False -
private_0x0000000001cf0000 0x01cf0000 0x01d6ffff Private Memory rw True False False -
private_0x0000000001e80000 0x01e80000 0x01efffff Private Memory rw True False False -
sortdefault.nls 0x01f00000 0x021cefff Memory Mapped File r False False False -
private_0x00000000021f0000 0x021f0000 0x0226ffff Private Memory rw True False False -
private_0x00000000022d0000 0x022d0000 0x0234ffff Private Memory rw True False False -
private_0x0000000002450000 0x02450000 0x024cffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4450000 0x7fef4574fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #18: taskkill.exe
0 0
»
Information Value
ID #18
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:16
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa58
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A5C
0x B50
0x B68
0x B78
0x B7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
pagefile_0x0000000000390000 0x00390000 0x00517fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000520000 0x00520000 0x00520fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000530000 0x00530000 0x00530fff Pagefile Backed Memory r True False False -
private_0x0000000000540000 0x00540000 0x0054ffff Private Memory rw True False False -
pagefile_0x0000000000550000 0x00550000 0x006d0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006e0000 0x006e0000 0x01adffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01ae0000 0x01b9ffff Memory Mapped File rw False False False -
private_0x0000000001ba0000 0x01ba0000 0x01c1ffff Private Memory rw True False False -
private_0x0000000001c40000 0x01c40000 0x01cbffff Private Memory rw True False False -
private_0x0000000001d40000 0x01d40000 0x01dbffff Private Memory rw True False False -
private_0x0000000001de0000 0x01de0000 0x01e5ffff Private Memory rw True False False -
sortdefault.nls 0x01e60000 0x0212efff Memory Mapped File r False False False -
private_0x0000000002280000 0x02280000 0x022fffff Private Memory rw True False False -
private_0x0000000002390000 0x02390000 0x0240ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4450000 0x7fef4574fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #19: taskkill.exe
0 0
»
Information Value
ID #19
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:15
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa6c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A70
0x B20
0x B58
0x B70
0x B74
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
kernelbase.dll.mui 0x00230000 0x002effff Memory Mapped File rw False False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
private_0x0000000000510000 0x00510000 0x0051ffff Private Memory rw True False False -
pagefile_0x0000000000520000 0x00520000 0x006a7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006b0000 0x006b0000 0x00830fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000840000 0x00840000 0x01c3ffff Pagefile Backed Memory r True False False -
private_0x0000000001d00000 0x01d00000 0x01d7ffff Private Memory rw True False False -
private_0x0000000001e20000 0x01e20000 0x01e9ffff Private Memory rw True False False -
private_0x0000000001f10000 0x01f10000 0x01f8ffff Private Memory rw True False False -
private_0x0000000001ff0000 0x01ff0000 0x0206ffff Private Memory rw True False False -
sortdefault.nls 0x02070000 0x0233efff Memory Mapped File r False False False -
private_0x0000000002440000 0x02440000 0x024bffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4450000 0x7fef4574fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #20: taskkill.exe
0 0
»
Information Value
ID #20
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:01:39, Reason: Self Terminated
Monitor Duration 00:00:16
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa9c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AA0
0x B54
0x B6C
0x B80
0x B84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
private_0x0000000000120000 0x00120000 0x0019ffff Private Memory rw True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
kernelbase.dll.mui 0x00270000 0x0032ffff Memory Mapped File rw False False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0052ffff Private Memory rw True False False -
pagefile_0x0000000000530000 0x00530000 0x006b7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006c0000 0x006c0000 0x00840fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000850000 0x00850000 0x01c4ffff Pagefile Backed Memory r True False False -
private_0x0000000001d10000 0x01d10000 0x01d8ffff Private Memory rw True False False -
private_0x0000000001df0000 0x01df0000 0x01e6ffff Private Memory rw True False False -
private_0x0000000001ea0000 0x01ea0000 0x01f1ffff Private Memory rw True False False -
private_0x0000000001f30000 0x01f30000 0x01faffff Private Memory rw True False False -
private_0x0000000002040000 0x02040000 0x020bffff Private Memory rw True False False -
sortdefault.nls 0x020c0000 0x0238efff Memory Mapped File r False False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4450000 0x7fef4574fff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7fef7020000 0x7fef7033fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #21: taskkill.exe
0 0
»
Information Value
ID #21
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:01:39, Reason: Self Terminated
Monitor Duration 00:00:16
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xab8
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x ABC
0x BE4
0x 870
0x 890
0x 888
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x00270fff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0029ffff Private Memory rw True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002b0000 0x002b0000 0x002b0fff Pagefile Backed Memory r True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
pagefile_0x00000000003e0000 0x003e0000 0x00567fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000570000 0x00570000 0x006f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000700000 0x00700000 0x01afffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b00000 0x01bbffff Memory Mapped File rw False False False -
private_0x0000000001be0000 0x01be0000 0x01c5ffff Private Memory rw True False False -
private_0x0000000001cb0000 0x01cb0000 0x01d2ffff Private Memory rw True False False -
private_0x0000000001d30000 0x01d30000 0x01daffff Private Memory rw True False False -
private_0x0000000001df0000 0x01df0000 0x01e6ffff Private Memory rw True False False -
sortdefault.nls 0x01e70000 0x0213efff Memory Mapped File r False False False -
private_0x0000000002260000 0x02260000 0x022dffff Private Memory rw True False False -
private_0x0000000002330000 0x02330000 0x023affff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4450000 0x7fef4574fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #22: taskkill.exe
0 0
»
Information Value
ID #22
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:01:39, Reason: Self Terminated
Monitor Duration 00:00:16
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb2c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B30
0x BBC
0x BC8
0x BD8
0x BDC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
pagefile_0x0000000000140000 0x00140000 0x00146fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00160000 0x00163fff Memory Mapped File rw False False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
pagefile_0x0000000000470000 0x00470000 0x005f7fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000600000 0x00600000 0x00780fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000790000 0x00790000 0x01b8ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b90000 0x01c4ffff Memory Mapped File rw False False False -
private_0x0000000001c50000 0x01c50000 0x01ccffff Private Memory rw True False False -
private_0x0000000001ce0000 0x01ce0000 0x01d5ffff Private Memory rw True False False -
private_0x0000000001d80000 0x01d80000 0x01dfffff Private Memory rw True False False -
private_0x0000000001e80000 0x01e80000 0x01efffff Private Memory rw True False False -
sortdefault.nls 0x01f00000 0x021cefff Memory Mapped File r False False False -
private_0x00000000021d0000 0x021d0000 0x0224ffff Private Memory rw True False False -
private_0x0000000002270000 0x02270000 0x022effff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4450000 0x7fef4574fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #23: taskkill.exe
0 0
»
Information Value
ID #23
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:24, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:14
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb44
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B48
0x BD4
0x 850
0x 864
0x 878
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
pagefile_0x00000000003e0000 0x003e0000 0x00567fff Pagefile Backed Memory r True False False -
private_0x00000000005b0000 0x005b0000 0x005bffff Private Memory rw True False False -
pagefile_0x00000000005c0000 0x005c0000 0x00740fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000750000 0x00750000 0x01b4ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b50000 0x01c0ffff Memory Mapped File rw False False False -
private_0x0000000001c40000 0x01c40000 0x01cbffff Private Memory rw True False False -
private_0x0000000001cc0000 0x01cc0000 0x01d3ffff Private Memory rw True False False -
private_0x0000000001d40000 0x01d40000 0x01dbffff Private Memory rw True False False -
private_0x0000000001e00000 0x01e00000 0x01e7ffff Private Memory rw True False False -
sortdefault.nls 0x01e80000 0x0214efff Memory Mapped File r False False False -
private_0x00000000022c0000 0x022c0000 0x0233ffff Private Memory rw True False False -
private_0x00000000023b0000 0x023b0000 0x0242ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4450000 0x7fef4574fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #25: taskkill.exe
0 0
»
Information Value
ID #25
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:24, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:14
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb94
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B98
0x 8C8
0x B4C
0x BB8
0x BF0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory rw True False False -
locale.nls 0x001f0000 0x00256fff Memory Mapped File r False False False -
taskkill.exe.mui 0x00260000 0x00263fff Memory Mapped File rw False False False -
private_0x0000000000270000 0x00270000 0x00270fff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
private_0x0000000000310000 0x00310000 0x0031ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
pagefile_0x0000000000420000 0x00420000 0x005a7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005b0000 0x005b0000 0x00730fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000740000 0x00740000 0x01b3ffff Pagefile Backed Memory r True False False -
private_0x0000000001b60000 0x01b60000 0x01bdffff Private Memory rw True False False -
kernelbase.dll.mui 0x01be0000 0x01c9ffff Memory Mapped File rw False False False -
private_0x0000000001d70000 0x01d70000 0x01deffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4450000 0x7fef4574fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #26: taskkill.exe
0 0
»
Information Value
ID #26
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:24, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:14
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbb0
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BB4
0x 8BC
0x B40
0x BAC
0x BC4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
pagefile_0x0000000000140000 0x00140000 0x00146fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00160000 0x00163fff Memory Mapped File rw False False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
pagefile_0x0000000000390000 0x00390000 0x00390fff Pagefile Backed Memory r True False False -
private_0x00000000003a0000 0x003a0000 0x003affff Private Memory rw True False False -
pagefile_0x00000000003b0000 0x003b0000 0x00537fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000540000 0x00540000 0x006c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006d0000 0x006d0000 0x01acffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01ad0000 0x01b8ffff Memory Mapped File rw False False False -
private_0x0000000001b90000 0x01b90000 0x01c0ffff Private Memory rw True False False -
private_0x0000000001c10000 0x01c10000 0x01c8ffff Private Memory rw True False False -
pagefile_0x0000000001c90000 0x01c90000 0x01c90fff Pagefile Backed Memory r True False False -
private_0x0000000001d60000 0x01d60000 0x01ddffff Private Memory rw True False False -
sortdefault.nls 0x01de0000 0x020aefff Memory Mapped File r False False False -
private_0x00000000020c0000 0x020c0000 0x0213ffff Private Memory rw True False False -
private_0x0000000002190000 0x02190000 0x0220ffff Private Memory rw True False False -
private_0x0000000002220000 0x02220000 0x0229ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4450000 0x7fef4574fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #27: taskkill.exe
0 0
»
Information Value
ID #27
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:24, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:16
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbe8
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BEC
0x C14
0x C28
0x C2C
0x C30
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00070000 0x00073fff Memory Mapped File rw False False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory rw True False False -
pagefile_0x00000000000a0000 0x000a0000 0x000a0fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
pagefile_0x0000000000460000 0x00460000 0x005e7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005f0000 0x005f0000 0x00770fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000780000 0x00780000 0x01b7ffff Pagefile Backed Memory r True False False -
private_0x0000000001b90000 0x01b90000 0x01c0ffff Private Memory rw True False False -
private_0x0000000001c10000 0x01c10000 0x01c8ffff Private Memory rw True False False -
kernelbase.dll.mui 0x01c90000 0x01d4ffff Memory Mapped File rw False False False -
private_0x0000000001d80000 0x01d80000 0x01dfffff Private Memory rw True False False -
private_0x0000000001e30000 0x01e30000 0x01eaffff Private Memory rw True False False -
private_0x0000000001f80000 0x01f80000 0x01ffffff Private Memory rw True False False -
sortdefault.nls 0x02000000 0x022cefff Memory Mapped File r False False False -
private_0x00000000022d0000 0x022d0000 0x0234ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4450000 0x7fef4574fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #28: taskkill.exe
0 0
»
Information Value
ID #28
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:24, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:18
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x81c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 810
0x C1C
0x C34
0x C38
0x C3C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00070000 0x00073fff Memory Mapped File rw False False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
locale.nls 0x00270000 0x002d6fff Memory Mapped File r False False False -
private_0x0000000000370000 0x00370000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
pagefile_0x0000000000480000 0x00480000 0x00607fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000610000 0x00610000 0x00790fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007a0000 0x007a0000 0x01b9ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01ba0000 0x01c5ffff Memory Mapped File rw False False False -
private_0x0000000001ca0000 0x01ca0000 0x01d1ffff Private Memory rw True False False -
private_0x0000000001d90000 0x01d90000 0x01e0ffff Private Memory rw True False False -
private_0x0000000001e70000 0x01e70000 0x01eeffff Private Memory rw True False False -
private_0x0000000001f10000 0x01f10000 0x01f8ffff Private Memory rw True False False -
private_0x0000000001fd0000 0x01fd0000 0x0204ffff Private Memory rw True False False -
sortdefault.nls 0x02050000 0x0231efff Memory Mapped File r False False False -
private_0x0000000002410000 0x02410000 0x0248ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef4450000 0x7fef4574fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7320000 0x7fef732efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7490000 0x7fef7515fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef8c90000 0x7fef8cdbfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd450000 0x7fefd45afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #29: taskkill.exe
0 0
»
Information Value
ID #29
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:24, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:28
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x924
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 970
0x C70
0x C94
0x C9C
0x CA0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #30: taskkill.exe
0 0
»
Information Value
ID #30
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:25, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:27
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa84
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A68
0x C48
0x C8C
0x CA4
0x CA8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #31: taskkill.exe
0 0
»
Information Value
ID #31
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:25, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:27
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x824
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 968
0x CD0
0x D0C
0x D28
0x D2C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #32: taskkill.exe
0 0
»
Information Value
ID #32
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:25, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:27
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc08
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C0C
0x CD4
0x D1C
0x D58
0x D5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #33: taskkill.exe
0 0
»
Information Value
ID #33
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM steam.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:25, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:27
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc4c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C50
0x D74
0x D90
0x DCC
0x DD0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #34: taskkill.exe
0 0
»
Information Value
ID #34
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:25, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:27
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc64
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C68
0x D38
0x D8C
0x DA4
0x DA8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #35: taskkill.exe
0 0
»
Information Value
ID #35
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:26, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:26
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcbc
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CC0
0x D88
0x DB0
0x DFC
0x E00
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #36: taskkill.exe
0 0
»
Information Value
ID #36
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:26, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:26
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xce0
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CE4
0x DAC
0x DEC
0x E04
0x E08
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #37: taskkill.exe
0 0
»
Information Value
ID #37
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:26, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:26
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd40
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D44
0x E20
0x E50
0x E70
0x E74
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #38: taskkill.exe
0 0
»
Information Value
ID #38
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:26, Reason: Child Process
Unmonitor End Time: 00:01:51, Reason: Self Terminated
Monitor Duration 00:00:25
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd68
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D6C
0x E38
0x E68
0x E7C
0x E80
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #39: taskkill.exe
0 0
»
Information Value
ID #39
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM visio.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:27, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:25
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdb4
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DB8
0x E58
0x E78
0x E84
0x E88
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #40: taskkill.exe
0 0
»
Information Value
ID #40
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM winword.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:27, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:25
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xddc
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DE0
0x E8C
0x EC4
0x ECC
0x ED0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #41: taskkill.exe
0 0
»
Information Value
ID #41
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:27, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:25
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe2c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E30
0x ED8
0x F08
0x F30
0x F34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0017ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #42: taskkill.exe
0 0
»
Information Value
ID #42
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:27, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:25
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe44
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E48
0x EFC
0x F2C
0x F3C
0x F40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #43: taskkill.exe
0 0
»
Information Value
ID #43
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:28, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:24
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe90
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E94
0x F20
0x F38
0x F44
0x F48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #44: taskkill.exe
0 0
»
Information Value
ID #44
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:28, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:24
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xeac
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EB0
0x F58
0x F70
0x F98
0x F9C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #45: taskkill.exe
0 0
»
Information Value
ID #45
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:28, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:24
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xedc
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EE0
0x F78
0x FC0
0x FDC
0x FE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #46: taskkill.exe
0 0
»
Information Value
ID #46
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:28, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:24
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xef0
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EF4
0x F74
0x FA0
0x FD4
0x FD8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #47: taskkill.exe
0 0
»
Information Value
ID #47
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:28, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:24
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf14
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F18
0x F6C
0x F88
0x FCC
0x FD0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff380000 0xff39efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #48: net.exe
0 0
»
Information Value
ID #48
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:29, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf7c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F80
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #49: net.exe
0 0
»
Information Value
ID #49
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf8c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F90
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
private_0x0000000000550000 0x00550000 0x0055ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4920000 0x7fef4931fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #50: net.exe
0 0
»
Information Value
ID #50
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Agent" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfb4
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FB8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #51: net.exe
0 0
»
Information Value
ID #51
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xff0
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FF4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #52: net.exe
0 0
»
Information Value
ID #52
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:34, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc10
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #53: net1.exe
17 0
»
Information Value
ID #53
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Agent" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:03
OS Process Information
»
Information Value
PID 0xce8
Parent PID 0xfb4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CDC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa00000 0xffa32fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4920000 0x7fef4931fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:13:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 125019 True 1
Fn
Process #54: net1.exe
17 0
»
Information Value
ID #54
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Enterprise Client Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:03
OS Process Information
»
Information Value
PID 0xcf8
Parent PID 0xf8c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa00000 0xffa32fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4920000 0x7fef4931fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:13:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 124956 True 1
Fn
Process #55: net1.exe
17 0
»
Information Value
ID #55
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:03
OS Process Information
»
Information Value
PID 0xdbc
Parent PID 0xf7c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DD8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x00000000004f0000 0x004f0000 0x004fffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa00000 0xffa32fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4920000 0x7fef4931fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:13:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 125019 True 1
Fn
Process #56: net.exe
0 0
»
Information Value
ID #56
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:34, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xde4
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #57: net.exe
0 0
»
Information Value
ID #57
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:31, Reason: Child Process
Unmonitor End Time: 00:01:34, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xeb4
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EA8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #58: net1.exe
17 0
»
Information Value
ID #58
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Clean Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:31, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xf04
Parent PID 0xc10 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F28
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
private_0x00000000006c0000 0x006c0000 0x006cffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa00000 0xffa32fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4920000 0x7fef4931fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:13:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 125019 True 1
Fn
Process #59: net.exe
0 0
»
Information Value
ID #59
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:31, Reason: Child Process
Unmonitor End Time: 00:01:34, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfc8
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FA8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #60: net.exe
0 0
»
Information Value
ID #60
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:31, Reason: Child Process
Unmonitor End Time: 00:01:34, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xec0
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F10
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #61: net.exe
0 0
»
Information Value
ID #61
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:31, Reason: Child Process
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1010
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1014
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #62: net1.exe
17 0
»
Information Value
ID #62
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:31, Reason: Child Process
Unmonitor End Time: 00:01:32, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x101c
Parent PID 0xff0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1020
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0031ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa00000 0xffa32fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4920000 0x7fef4931fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:13:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 125019 True 1
Fn
Process #63: net.exe
0 0
»
Information Value
ID #63
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:31, Reason: Child Process
Unmonitor End Time: 00:01:34, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1034
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1038
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #64: net.exe
0 0
»
Information Value
ID #64
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:31, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1048
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 104C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0017ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #65: net1.exe
17 0
»
Information Value
ID #65
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:32, Reason: Child Process
Unmonitor End Time: 00:01:34, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x106c
Parent PID 0xde4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1070
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
private_0x00000000002f0000 0x002f0000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa00000 0xffa32fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4920000 0x7fef4931fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:13:53 (UTC) True 1
Fn
Get Time type = Ticks, time = 125736 True 1
Fn
Process #66: net1.exe
17 0
»
Information Value
ID #66
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:32, Reason: Child Process
Unmonitor End Time: 00:01:34, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x1074
Parent PID 0xeb4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1078
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
private_0x00000000004e0000 0x004e0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa00000 0xffa32fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4920000 0x7fef4931fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:13:53 (UTC) True 1
Fn
Get Time type = Ticks, time = 125705 True 1
Fn
Process #67: net.exe
0 0
»
Information Value
ID #67
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:32, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1080
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1084
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #68: net1.exe
17 0
»
Information Value
ID #68
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Health Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:32, Reason: Child Process
Unmonitor End Time: 00:01:34, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x108c
Parent PID 0xfc8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1090
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x003affff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa00000 0xffa32fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4920000 0x7fef4931fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:13:53 (UTC) True 1
Fn
Get Time type = Ticks, time = 125814 True 1
Fn
Process #69: net1.exe
17 0
»
Information Value
ID #69
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:32, Reason: Child Process
Unmonitor End Time: 00:01:34, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x1094
Parent PID 0xec0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1098
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa00000 0xffa32fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4920000 0x7fef4931fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:13:53 (UTC) True 1
Fn
Get Time type = Ticks, time = 125846 True 1
Fn
Process #70: net.exe
0 0
»
Information Value
ID #70
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:32, Reason: Child Process
Unmonitor End Time: 00:01:36, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x10a8
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10AC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #71: net1.exe
17 0
»
Information Value
ID #71
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Message Router" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:33, Reason: Child Process
Unmonitor End Time: 00:01:34, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x10c0
Parent PID 0x1034 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10C4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x0017ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffeb0000 0xffee2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4920000 0x7fef4931fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffeb0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:13:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 126922 True 1
Fn
Process #72: net1.exe
17 0
»
Information Value
ID #72
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos MCS Client" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:33, Reason: Child Process
Unmonitor End Time: 00:01:34, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x10cc
Parent PID 0x1010 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10D0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffeb0000 0xffee2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4920000 0x7fef4931fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffeb0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:13:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 126891 True 1
Fn
Process #73: net.exe
0 0
»
Information Value
ID #73
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:33, Reason: Child Process
Unmonitor End Time: 00:01:36, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x10d4
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10D8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #74: net.exe
0 0
»
Information Value
ID #74
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:33, Reason: Child Process
Unmonitor End Time: 00:01:37, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x10f4
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10F8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #75: net1.exe
17 0
»
Information Value
ID #75
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:34, Reason: Child Process
Unmonitor End Time: 00:01:34, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x1120
Parent PID 0x1080 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1124
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff400000 0xff432fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff400000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:13:55 (UTC) True 1
Fn
Get Time type = Ticks, time = 127624 True 1
Fn
Process #76: net.exe
0 0
»
Information Value
ID #76
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:34, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:06
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1128
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 112C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #77: net1.exe
17 0
»
Information Value
ID #77
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:34, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1138
Parent PID 0x1048 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 113C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0041ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff400000 0xff432fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff400000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:13:55 (UTC) True 1
Fn
Get Time type = Ticks, time = 127827 True 1
Fn
Process #78: net1.exe
17 0
»
Information Value
ID #78
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:34, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1144
Parent PID 0x10a8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1148
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff400000 0xff432fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff400000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:13:55 (UTC) True 1
Fn
Get Time type = Ticks, time = 127780 True 1
Fn
Process #79: net.exe
0 0
»
Information Value
ID #79
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:34, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:06
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1154
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1158
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #80: net1.exe
17 0
»
Information Value
ID #80
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:34, Reason: Child Process
Unmonitor End Time: 00:01:35, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1160
Parent PID 0x10d4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1164
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x0015ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff400000 0xff432fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff400000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:13:55 (UTC) True 1
Fn
Get Time type = Ticks, time = 128061 True 1
Fn
Process #81: net.exe
0 0
»
Information Value
ID #81
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop AcronisAgent /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:34, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:07
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x117c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1180
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #82: net.exe
0 0
»
Information Value
ID #82
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop AcrSch2Svc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:34, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:07
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1190
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1194
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4920000 0x7fef4931fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #83: net1.exe
17 0
»
Information Value
ID #83
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:35, Reason: Child Process
Unmonitor End Time: 00:01:37, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x11a8
Parent PID 0x10f4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11AC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff250000 0xff282fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff250000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:13:56 (UTC) True 1
Fn
Get Time type = Ticks, time = 129184 True 1
Fn
Process #84: net.exe
0 0
»
Information Value
ID #84
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop Antivirus /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1270
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1274
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #85: net.exe
0 0
»
Information Value
ID #85
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ARSM /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1290
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1294
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #86: net1.exe
17 0
»
Information Value
ID #86
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop AcrSch2Svc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x12a0
Parent PID 0x1190 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12A4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0057ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe20000 0xffe52fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4920000 0x7fef4931fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe20000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:01 (UTC) True 1
Fn
Get Time type = Ticks, time = 133271 True 1
Fn
Process #87: net1.exe
17 0
»
Information Value
ID #87
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop AcronisAgent /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x12a8
Parent PID 0x117c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12AC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x002bffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe20000 0xffe52fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4920000 0x7fef4931fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe20000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:01 (UTC) True 1
Fn
Get Time type = Ticks, time = 133302 True 1
Fn
Process #88: net1.exe
17 0
»
Information Value
ID #88
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Symantec System Recovery" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x12b0
Parent PID 0x1128 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12B4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x0030ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe20000 0xffe52fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4920000 0x7fef4931fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe20000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:01 (UTC) True 1
Fn
Get Time type = Ticks, time = 133349 True 1
Fn
Process #89: net1.exe
17 0
»
Information Value
ID #89
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x12b8
Parent PID 0x1154 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12BC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0021ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe20000 0xffe52fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4920000 0x7fef4931fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe20000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:01 (UTC) True 1
Fn
Get Time type = Ticks, time = 133505 True 1
Fn
Process #90: net.exe
0 0
»
Information Value
ID #90
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x12c8
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12CC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #91: net1.exe
17 0
»
Information Value
ID #91
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop Antivirus /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x12d4
Parent PID 0x1270 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12D8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0027ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe20000 0xffe52fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4920000 0x7fef4931fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe20000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:01 (UTC) True 1
Fn
Get Time type = Ticks, time = 133583 True 1
Fn
Process #92: net.exe
0 0
»
Information Value
ID #92
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x12ec
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #93: net.exe
0 0
»
Information Value
ID #93
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1300
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1304
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #94: net1.exe
17 0
»
Information Value
ID #94
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ARSM /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1320
Parent PID 0x1290 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1324
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
private_0x00000000006e0000 0x006e0000 0x006effff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff930000 0xff962fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4920000 0x7fef4931fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff930000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:01 (UTC) True 1
Fn
Get Time type = Ticks, time = 133880 True 1
Fn
Process #95: net.exe
0 0
»
Information Value
ID #95
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1328
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 132C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #96: net.exe
0 0
»
Information Value
ID #96
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecManagementService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x133c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1340
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #97: net.exe
0 0
»
Information Value
ID #97
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecRPCService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:01:41, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1350
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1354
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #98: net1.exe
17 0
»
Information Value
ID #98
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x137c
Parent PID 0x12c8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1380
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff620000 0xff652fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff620000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:02 (UTC) True 1
Fn
Get Time type = Ticks, time = 134363 True 1
Fn
Process #99: net1.exe
17 0
»
Information Value
ID #99
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x1384
Parent PID 0x1300 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1388
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff620000 0xff652fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff620000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:02 (UTC) True 1
Fn
Get Time type = Ticks, time = 134488 True 1
Fn
Process #100: net1.exe
17 0
»
Information Value
ID #100
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x138c
Parent PID 0x12ec (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1390
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x001bffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff620000 0xff652fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff620000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:02 (UTC) True 1
Fn
Get Time type = Ticks, time = 134738 True 1
Fn
Process #101: net.exe
0 0
»
Information Value
ID #101
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:01:43, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1394
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1398
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0028ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4920000 0x7fef4931fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #102: net.exe
0 0
»
Information Value
ID #102
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop bedbg /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x13b4
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 13B8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #103: net1.exe
17 0
»
Information Value
ID #103
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecJobEngine /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x13c0
Parent PID 0x1328 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 13C4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff620000 0xff652fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff620000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:02 (UTC) True 1
Fn
Get Time type = Ticks, time = 135003 True 1
Fn
Process #104: net1.exe
17 0
»
Information Value
ID #104
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecManagementService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x13c8
Parent PID 0x133c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 13CC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0031ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff620000 0xff652fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff620000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:02 (UTC) True 1
Fn
Get Time type = Ticks, time = 134878 True 1
Fn
Process #105: net1.exe
17 0
»
Information Value
ID #105
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecRPCService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x13d0
Parent PID 0x1350 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 13D4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
locale.nls 0x00150000 0x001b6fff Memory Mapped File r False False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0037ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff620000 0xff652fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff620000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:02 (UTC) True 1
Fn
Get Time type = Ticks, time = 134862 True 1
Fn
Process #106: net.exe
0 0
»
Information Value
ID #106
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop DCAgent /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:01:43, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x13ec
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 13F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #107: net1.exe
17 0
»
Information Value
ID #107
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecVSSProvider /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe40
Parent PID 0x1394 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1008
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
private_0x0000000000560000 0x00560000 0x0056ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff0b0000 0xff0e2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4920000 0x7fef4931fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff0b0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:03 (UTC) True 1
Fn
Get Time type = Ticks, time = 135315 True 1
Fn
Process #108: net.exe
0 0
»
Information Value
ID #108
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop EPSecurityService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:01:43, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1028
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1018
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #109: net.exe
0 0
»
Information Value
ID #109
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop EPUpdateService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:01:44, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1050
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0023ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0052ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #110: net1.exe
17 0
»
Information Value
ID #110
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop bedbg /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:42, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xcdc
Parent PID 0x13b4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F04
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
locale.nls 0x00240000 0x002a6fff Memory Mapped File r False False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe70000 0xffea2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4920000 0x7fef4931fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe70000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:03 (UTC) True 1
Fn
Get Time type = Ticks, time = 135564 True 1
Fn
Process #111: net1.exe
17 0
»
Information Value
ID #111
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop DCAgent /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:42, Reason: Child Process
Unmonitor End Time: 00:01:43, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xff0
Parent PID 0x13ec (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D80
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe70000 0xffea2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4920000 0x7fef4931fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe70000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:03 (UTC) True 1
Fn
Get Time type = Ticks, time = 135689 True 1
Fn
Process #112: net.exe
0 0
»
Information Value
ID #112
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop EraserSvc11710 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:42, Reason: Child Process
Unmonitor End Time: 00:01:44, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1088
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DBC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #113: net.exe
0 0
»
Information Value
ID #113
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop EsgShKernel /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:42, Reason: Child Process
Unmonitor End Time: 00:01:45, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf90
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #114: net.exe
0 0
»
Information Value
ID #114
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop FA_Scheduler /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:42, Reason: Child Process
Unmonitor End Time: 00:01:46, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1070
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 106C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #115: net.exe
0 0
»
Information Value
ID #115
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop IISAdmin /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:42, Reason: Child Process
Unmonitor End Time: 00:01:45, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x108c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10A4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x0022ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #116: net1.exe
17 0
»
Information Value
ID #116
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop EPUpdateService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:42, Reason: Child Process
Unmonitor End Time: 00:01:43, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1094
Parent PID 0x1050 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff620000 0xff652fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff620000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:04 (UTC) True 1
Fn
Get Time type = Ticks, time = 136719 True 1
Fn
Process #117: net1.exe
17 0
»
Information Value
ID #117
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop EPSecurityService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:43, Reason: Child Process
Unmonitor End Time: 00:01:43, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xfb4
Parent PID 0x1028 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x0000000000580000 0x00580000 0x0058ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff620000 0xff652fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff620000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:04 (UTC) True 1
Fn
Get Time type = Ticks, time = 136734 True 1
Fn
Process #118: net.exe
0 0
»
Information Value
ID #118
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop IMAP4Svc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:43, Reason: Child Process
Unmonitor End Time: 00:01:45, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfa8
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F10
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #119: net1.exe
17 0
»
Information Value
ID #119
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop EraserSvc11710 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:43, Reason: Child Process
Unmonitor End Time: 00:01:44, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf94
Parent PID 0x1088 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 100C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff200000 0xff232fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff200000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:04 (UTC) True 1
Fn
Get Time type = Ticks, time = 137202 True 1
Fn
Process #120: net.exe
0 0
»
Information Value
ID #120
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop macmnsvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:43, Reason: Child Process
Unmonitor End Time: 00:01:47, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xde4
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C24
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #121: net.exe
0 0
»
Information Value
ID #121
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop masvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:43, Reason: Child Process
Unmonitor End Time: 00:01:46, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xef8
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10D0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #122: net1.exe
17 0
»
Information Value
ID #122
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop FA_Scheduler /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:43, Reason: Child Process
Unmonitor End Time: 00:01:46, Reason: Self Terminated
Monitor Duration 00:00:03
OS Process Information
»
Information Value
PID 0x1014
Parent PID 0x1070 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10C0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
private_0x0000000000570000 0x00570000 0x0057ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff200000 0xff232fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff200000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:05 (UTC) True 1
Fn
Get Time type = Ticks, time = 137561 True 1
Fn
Process #123: net1.exe
17 0
»
Information Value
ID #123
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop EsgShKernel /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:43, Reason: Child Process
Unmonitor End Time: 00:01:46, Reason: Self Terminated
Monitor Duration 00:00:03
OS Process Information
»
Information Value
PID 0xfc8
Parent PID 0xf90 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1054
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
private_0x0000000000510000 0x00510000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff200000 0xff232fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff200000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:05 (UTC) True 1
Fn
Get Time type = Ticks, time = 137561 True 1
Fn
Process #124: net1.exe
17 0
»
Information Value
ID #124
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop IISAdmin /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:43, Reason: Child Process
Unmonitor End Time: 00:01:46, Reason: Self Terminated
Monitor Duration 00:00:03
OS Process Information
»
Information Value
PID 0x1058
Parent PID 0x108c (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x00000000004f0000 0x004f0000 0x004fffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff200000 0xff232fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff200000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:05 (UTC) True 1
Fn
Get Time type = Ticks, time = 137577 True 1
Fn
Process #125: net.exe
0 0
»
Information Value
ID #125
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MBAMService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:44, Reason: Child Process
Unmonitor End Time: 00:01:46, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1034
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 107C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #126: net1.exe
17 0
»
Information Value
ID #126
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop IMAP4Svc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:44, Reason: Child Process
Unmonitor End Time: 00:01:45, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x10fc
Parent PID 0xfa8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1108
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000230000 0x00230000 0x0023ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff200000 0xff232fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff200000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:05 (UTC) True 1
Fn
Get Time type = Ticks, time = 138076 True 1
Fn
Process #127: net.exe
0 0
»
Information Value
ID #127
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MBEndpointAgent /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:44, Reason: Child Process
Unmonitor End Time: 00:01:47, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1124
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1120
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000550000 0x00550000 0x0055ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef42e0000 0x7fef42f1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #128: net.exe
0 0
»
Information Value
ID #128
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop McAfeeEngineService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:45, Reason: Child Process
Unmonitor End Time: 00:01:47, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x10bc
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1184
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #129: net.exe
0 0
»
Information Value
ID #129
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop McAfeeFramework /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:45, Reason: Child Process
Unmonitor End Time: 00:01:47, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1100
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10D8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #130: net1.exe
17 0
»
Information Value
ID #130
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MBEndpointAgent /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:45, Reason: Child Process
Unmonitor End Time: 00:01:46, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xa4c
Parent PID 0x1124 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
locale.nls 0x001a0000 0x00206fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff520000 0xff552fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef42e0000 0x7fef42f1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff520000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 139168 True 1
Fn
Process #131: net1.exe
17 0
»
Information Value
ID #131
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop macmnsvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:45, Reason: Child Process
Unmonitor End Time: 00:01:46, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xa40
Parent PID 0xde4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 111C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
private_0x00000000004c0000 0x004c0000 0x004cffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff520000 0xff552fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef42e0000 0x7fef42f1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff520000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 139215 True 1
Fn
Process #132: net1.exe
17 0
»
Information Value
ID #132
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop masvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:45, Reason: Child Process
Unmonitor End Time: 00:01:46, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x10b4
Parent PID 0xef8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff520000 0xff552fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef42e0000 0x7fef42f1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff520000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:07 (UTC) True 1
Fn
Get Time type = Ticks, time = 139246 True 1
Fn
Process #133: net1.exe
17 0
»
Information Value
ID #133
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MBAMService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:45, Reason: Child Process
Unmonitor End Time: 00:01:46, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x118c
Parent PID 0x1034 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11A0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff520000 0xff552fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef42e0000 0x7fef42f1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff520000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:07 (UTC) True 1
Fn
Get Time type = Ticks, time = 139262 True 1
Fn
Process #134: net.exe
0 0
»
Information Value
ID #134
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:45, Reason: Child Process
Unmonitor End Time: 00:01:48, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x11a8
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1168
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #135: net.exe
0 0
»
Information Value
ID #135
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop McShield /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:46, Reason: Child Process
Unmonitor End Time: 00:01:48, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x97c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 980
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #136: net1.exe
17 0
»
Information Value
ID #136
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop McAfeeEngineService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:46, Reason: Child Process
Unmonitor End Time: 00:01:47, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x890
Parent PID 0x10bc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 888
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x0000000000590000 0x00590000 0x0059ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3b0000 0xff3e2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef42e0000 0x7fef42f1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3b0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:07 (UTC) True 1
Fn
Get Time type = Ticks, time = 139964 True 1
Fn
Process #137: net1.exe
17 0
»
Information Value
ID #137
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop McAfeeFramework /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:46, Reason: Child Process
Unmonitor End Time: 00:01:47, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x10f4
Parent PID 0x1100 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1134
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff3b0000 0xff3e2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef42e0000 0x7fef42f1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff3b0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:07 (UTC) True 1
Fn
Get Time type = Ticks, time = 139948 True 1
Fn
Process #138: net.exe
0 0
»
Information Value
ID #138
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop McTaskManager /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:46, Reason: Child Process
Unmonitor End Time: 00:01:48, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb00
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B04
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #139: net.exe
0 0
»
Information Value
ID #139
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop mfemms /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:46, Reason: Child Process
Unmonitor End Time: 00:01:48, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xae4
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11D8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #140: net1.exe
17 0
»
Information Value
ID #140
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:47, Reason: Child Process
Unmonitor End Time: 00:01:47, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x11e0
Parent PID 0x11a8 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AD8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
private_0x0000000000650000 0x00650000 0x0065ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff220000 0xff252fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff220000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:08 (UTC) True 1
Fn
Get Time type = Ticks, time = 140634 True 1
Fn
Process #141: net1.exe
17 0
»
Information Value
ID #141
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop McShield /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:47, Reason: Child Process
Unmonitor End Time: 00:01:47, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xadc
Parent PID 0x97c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11E4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff220000 0xff252fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff220000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:08 (UTC) True 1
Fn
Get Time type = Ticks, time = 140915 True 1
Fn
Process #142: net.exe
0 0
»
Information Value
ID #142
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop mfevtp /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:47, Reason: Child Process
Unmonitor End Time: 00:01:49, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb78
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #143: net.exe
0 0
»
Information Value
ID #143
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MMS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:47, Reason: Child Process
Unmonitor End Time: 00:01:48, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x990
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #144: net1.exe
17 0
»
Information Value
ID #144
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop McTaskManager /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:47, Reason: Child Process
Unmonitor End Time: 00:01:48, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x9b4
Parent PID 0xb00 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11F4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff220000 0xff252fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff220000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:09 (UTC) True 1
Fn
Get Time type = Ticks, time = 141243 True 1
Fn
Process #145: net1.exe
17 0
»
Information Value
ID #145
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop mfemms /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:47, Reason: Child Process
Unmonitor End Time: 00:01:48, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xb80
Parent PID 0xae4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x0000000000490000 0x00490000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff220000 0xff252fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff220000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:09 (UTC) True 1
Fn
Get Time type = Ticks, time = 141290 True 1
Fn
Process #146: net.exe
0 0
»
Information Value
ID #146
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop mozyprobackup /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:47, Reason: Child Process
Unmonitor End Time: 00:01:49, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x94c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 950
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #147: net.exe
0 0
»
Information Value
ID #147
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MsDtsServer /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:47, Reason: Child Process
Unmonitor End Time: 00:01:49, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1204
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9A8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0053ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #148: net1.exe
17 0
»
Information Value
ID #148
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MMS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:01:48, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xbf0
Parent PID 0x990 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1210
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd40000 0xffd72fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:09 (UTC) True 1
Fn
Get Time type = Ticks, time = 141992 True 1
Fn
Process #149: net1.exe
17 0
»
Information Value
ID #149
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop mfevtp /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:01:49, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x974
Parent PID 0xb78 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 978
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd40000 0xffd72fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:09 (UTC) True 1
Fn
Get Time type = Ticks, time = 141726 True 1
Fn
Process #150: net.exe
0 0
»
Information Value
ID #150
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MsDtsServer100 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:01:50, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x944
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 948
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #151: net.exe
0 0
»
Information Value
ID #151
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MsDtsServer110 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:01:50, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb20
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #152: net1.exe
17 0
»
Information Value
ID #152
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MsDtsServer /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:01:49, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x8d0
Parent PID 0x1204 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 910
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0055ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9c0000 0xff9f2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:10 (UTC) True 1
Fn
Get Time type = Ticks, time = 142272 True 1
Fn
Process #153: net1.exe
17 0
»
Information Value
ID #153
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop mozyprobackup /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:01:49, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xaf0
Parent PID 0x94c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 964
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x001fffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9c0000 0xff9f2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:10 (UTC) True 1
Fn
Get Time type = Ticks, time = 142553 True 1
Fn
Process #154: net.exe
0 0
»
Information Value
ID #154
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeES /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:01:50, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7f0
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 478
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #155: net.exe
0 0
»
Information Value
ID #155
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeIS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:01:50, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x870
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x ABC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #156: net.exe
0 0
»
Information Value
ID #156
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:49, Reason: Child Process
Unmonitor End Time: 00:01:50, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x96c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 121C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #157: net1.exe
17 0
»
Information Value
ID #157
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MsDtsServer100 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:49, Reason: Child Process
Unmonitor End Time: 00:01:50, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xaac
Parent PID 0x944 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8AC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0018ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0057ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff800000 0xff832fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff800000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:10 (UTC) True 1
Fn
Get Time type = Ticks, time = 143240 True 1
Fn
Process #158: net1.exe
17 0
»
Information Value
ID #158
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MsDtsServer110 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:49, Reason: Child Process
Unmonitor End Time: 00:01:50, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x8d4
Parent PID 0xb20 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 914
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0028ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff800000 0xff832fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff800000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:10 (UTC) True 1
Fn
Get Time type = Ticks, time = 142787 True 1
Fn
Process #159: net.exe
0 0
»
Information Value
ID #159
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeMTA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:49, Reason: Child Process
Unmonitor End Time: 00:01:51, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7e0
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9F8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x001dffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #160: net.exe
0 0
»
Information Value
ID #160
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeSA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:49, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x92c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 804
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #161: net1.exe
17 0
»
Information Value
ID #161
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeES /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:49, Reason: Child Process
Unmonitor End Time: 00:01:50, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x918
Parent PID 0x7f0 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 170
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x003bffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff800000 0xff832fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff800000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:10 (UTC) True 1
Fn
Get Time type = Ticks, time = 143130 True 1
Fn
Process #162: net1.exe
17 0
»
Information Value
ID #162
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeIS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:49, Reason: Child Process
Unmonitor End Time: 00:01:50, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x8e8
Parent PID 0x870 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 934
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x002effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff800000 0xff832fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff800000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:10 (UTC) True 1
Fn
Get Time type = Ticks, time = 143177 True 1
Fn
Process #163: net1.exe
17 0
»
Information Value
ID #163
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeMGMT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:49, Reason: Child Process
Unmonitor End Time: 00:01:50, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x884
Parent PID 0x96c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000220000 0x00220000 0x0022ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff800000 0xff832fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff800000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:10 (UTC) True 1
Fn
Get Time type = Ticks, time = 143208 True 1
Fn
Process #164: net.exe
0 0
»
Information Value
ID #164
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeSRS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:49, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x940
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 84C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #165: net.exe
0 0
»
Information Value
ID #165
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x818
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8E4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #166: net.exe
0 0
»
Information Value
ID #166
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb4c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B98
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x001dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #167: net1.exe
17 0
»
Information Value
ID #167
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeMTA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:50, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xb48
Parent PID 0x7e0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B88
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
private_0x0000000000590000 0x00590000 0x0059ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffef0000 0xfff22fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffef0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:11 (UTC) True 1
Fn
Get Time type = Ticks, time = 143723 True 1
Fn
Process #168: net.exe
0 0
»
Information Value
ID #168
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSOLAP$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:51, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xab8
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BA0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
private_0x0000000000660000 0x00660000 0x0066ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #169: net.exe
0 0
»
Information Value
ID #169
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x828
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 54C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #170: net1.exe
17 0
»
Information Value
ID #170
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeSA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x5c4
Parent PID 0x92c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 894
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
private_0x0000000000640000 0x00640000 0x0064ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa50000 0xffa82fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa50000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:33 (UTC) True 1
Fn
Get Time type = Ticks, time = 144612 True 1
Fn
Process #171: net1.exe
17 0
»
Information Value
ID #171
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeSRS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xb8c
Parent PID 0x940 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 344
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa50000 0xffa82fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa50000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:33 (UTC) True 1
Fn
Get Time type = Ticks, time = 144644 True 1
Fn
Process #172: net1.exe
17 0
»
Information Value
ID #172
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x9c8
Parent PID 0x818 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 900
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000230000 0x00230000 0x0023ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa50000 0xffa82fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa50000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:12 (UTC) True 1
Fn
Get Time type = Ticks, time = 144269 True 1
Fn
Process #173: net.exe
0 0
»
Information Value
ID #173
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:53, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x938
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8F4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #174: net1.exe
17 0
»
Information Value
ID #174
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xc28
Parent PID 0xb4c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x002bffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa50000 0xffa82fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa50000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-13 19:14:12 (UTC) True 1
Fn
Get Time type = Ticks, time = 144347 True 1
Fn
Process #175: net.exe
0 0
»
Information Value
ID #175
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:50, Reason: Child Process
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb3c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #176: net.exe
0 0
»
Information Value
ID #176
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:51, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7c4
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BB0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #177: net1.exe
17 0
»
Information Value
ID #177
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSOLAP$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:51, Reason: Child Process
Unmonitor End Time: 00:01:51, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xb94
Parent PID 0xab8 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BF8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory rw True False False -
locale.nls 0x00170000 0x001d6fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff140000 0xff172fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff140000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:34 (UTC) True 1
Fn
Get Time type = Ticks, time = 145127 True 1
Fn
Process #178: net.exe
0 0
»
Information Value
ID #178
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:51, Reason: Child Process
Unmonitor End Time: 00:01:53, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xba8
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D10
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #179: net1.exe
17 0
»
Information Value
ID #179
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:51, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x89c
Parent PID 0x828 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 874
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa10000 0xffa42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:34 (UTC) True 1
Fn
Get Time type = Ticks, time = 145268 True 1
Fn
Process #180: net.exe
0 0
»
Information Value
ID #180
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:51, Reason: Child Process
Unmonitor End Time: 00:01:53, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xba4
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #181: net.exe
0 0
»
Information Value
ID #181
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:51, Reason: Child Process
Unmonitor End Time: 00:01:53, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8a8
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 93C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #182: net1.exe
17 0
»
Information Value
ID #182
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:51, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xa34
Parent PID 0x938 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BE8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff070000 0xff0a2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff070000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:35 (UTC) True 1
Fn
Get Time type = Ticks, time = 145798 True 1
Fn
Process #183: net1.exe
17 0
»
Information Value
ID #183
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:52, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xab4
Parent PID 0x7c4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 330
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff070000 0xff0a2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff070000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:35 (UTC) True 1
Fn
Get Time type = Ticks, time = 145798 True 1
Fn
Process #184: net1.exe
17 0
»
Information Value
ID #184
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:52, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x127c
Parent PID 0xb3c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1198
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
locale.nls 0x00250000 0x002b6fff Memory Mapped File r False False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff070000 0xff0a2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff070000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:35 (UTC) True 1
Fn
Get Time type = Ticks, time = 145814 True 1
Fn
Process #185: net1.exe
17 0
»
Information Value
ID #185
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:52, Reason: Child Process
Unmonitor End Time: 00:01:52, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x1280
Parent PID 0xba8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10A0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
locale.nls 0x00260000 0x002c6fff Memory Mapped File r False False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0041ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff070000 0xff0a2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff070000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:35 (UTC) True 1
Fn
Get Time type = Ticks, time = 145814 True 1
Fn
Process #186: net.exe
0 0
»
Information Value
ID #186
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:52, Reason: Child Process
Unmonitor End Time: 00:01:53, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1160
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1104
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #187: net.exe
0 0
»
Information Value
ID #187
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:52, Reason: Child Process
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa30
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12BC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #188: net.exe
0 0
»
Information Value
ID #188
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:52, Reason: Child Process
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x12b4
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 126C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #189: net.exe
0 0
»
Information Value
ID #189
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:52, Reason: Child Process
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1288
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1194
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #190: net.exe
0 0
»
Information Value
ID #190
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:52, Reason: Child Process
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1190
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11B0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #191: net1.exe
17 0
»
Information Value
ID #191
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:52, Reason: Child Process
Unmonitor End Time: 00:01:53, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1310
Parent PID 0xa30 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1284
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
private_0x0000000000550000 0x00550000 0x0055ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff820000 0xff852fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff820000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:35 (UTC) True 1
Fn
Get Time type = Ticks, time = 146516 True 1
Fn
Process #192: net1.exe
17 0
»
Information Value
ID #192
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:52, Reason: Child Process
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x1180
Parent PID 0xba4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 112C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0019ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff820000 0xff852fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff820000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:35 (UTC) True 1
Fn
Get Time type = Ticks, time = 146484 True 1
Fn
Process #193: net1.exe
17 0
»
Information Value
ID #193
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:52, Reason: Child Process
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x1274
Parent PID 0x8a8 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 117C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x00000000005a0000 0x005a0000 0x005affff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff820000 0xff852fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff820000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:35 (UTC) True 1
Fn
Get Time type = Ticks, time = 146500 True 1
Fn
Process #194: net1.exe
17 0
»
Information Value
ID #194
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:52, Reason: Child Process
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x11a4
Parent PID 0x1160 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1178
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
private_0x0000000000520000 0x00520000 0x0052ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff820000 0xff852fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff820000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:35 (UTC) True 1
Fn
Get Time type = Ticks, time = 146500 True 1
Fn
Process #195: net.exe
0 0
»
Information Value
ID #195
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:53, Reason: Child Process
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1218
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1270
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #196: net.exe
0 0
»
Information Value
ID #196
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:53, Reason: Child Process
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1324
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1330
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #197: net1.exe
17 0
»
Information Value
ID #197
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:53, Reason: Child Process
Unmonitor End Time: 00:01:53, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x134c
Parent PID 0x12b4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1364
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff670000 0xff6a2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff670000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:36 (UTC) True 1
Fn
Get Time type = Ticks, time = 147077 True 1
Fn
Process #198: net1.exe
17 0
»
Information Value
ID #198
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:53, Reason: Child Process
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1358
Parent PID 0x1288 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 139C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
private_0x0000000000710000 0x00710000 0x0071ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff670000 0xff6a2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff670000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:36 (UTC) True 1
Fn
Get Time type = Ticks, time = 147296 True 1
Fn
Process #199: net.exe
0 0
»
Information Value
ID #199
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:53, Reason: Child Process
Unmonitor End Time: 00:01:55, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1380
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1388
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #200: net1.exe
17 0
»
Information Value
ID #200
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:53, Reason: Child Process
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1384
Parent PID 0x1190 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 13D4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff670000 0xff6a2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff670000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:36 (UTC) True 1
Fn
Get Time type = Ticks, time = 147171 True 1
Fn
Process #201: net.exe
0 0
»
Information Value
ID #201
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:53, Reason: Child Process
Unmonitor End Time: 00:01:55, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x13e4
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C38
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #202: net.exe
0 0
»
Information Value
ID #202
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:53, Reason: Child Process
Unmonitor End Time: 00:01:56, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1390
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 13D0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #203: net1.exe
17 0
»
Information Value
ID #203
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:54, Reason: Child Process
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x81c
Parent PID 0x1218 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8F8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
private_0x00000000004d0000 0x004d0000 0x004dffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff670000 0xff6a2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff670000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:36 (UTC) True 1
Fn
Get Time type = Ticks, time = 147592 True 1
Fn
Process #204: net1.exe
17 0
»
Information Value
ID #204
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:54, Reason: Child Process
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x83c
Parent PID 0x1324 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12E4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff670000 0xff6a2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff670000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:36 (UTC) True 1
Fn
Get Time type = Ticks, time = 147701 True 1
Fn
Process #205: net.exe
0 0
»
Information Value
ID #205
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:54, Reason: Child Process
Unmonitor End Time: 00:01:56, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x136c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12DC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #206: net.exe
0 0
»
Information Value
ID #206
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:54, Reason: Child Process
Unmonitor End Time: 00:01:55, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x12f0
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1314
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #207: net.exe
0 0
»
Information Value
ID #207
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:54, Reason: Child Process
Unmonitor End Time: 00:01:56, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1354
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1340
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0053ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #208: net.exe
0 0
»
Information Value
ID #208
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:54, Reason: Child Process
Unmonitor End Time: 00:01:56, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1368
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 133C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #209: net1.exe
17 0
»
Information Value
ID #209
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:54, Reason: Child Process
Unmonitor End Time: 00:01:55, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1360
Parent PID 0x136c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1348
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff580000 0xff5b2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff580000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:37 (UTC) True 1
Fn
Get Time type = Ticks, time = 148278 True 1
Fn
Process #210: net1.exe
17 0
»
Information Value
ID #210
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:54, Reason: Child Process
Unmonitor End Time: 00:01:55, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1328
Parent PID 0x1380 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 135C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff580000 0xff5b2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff580000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:37 (UTC) True 1
Fn
Get Time type = Ticks, time = 148388 True 1
Fn
Process #211: net1.exe
17 0
»
Information Value
ID #211
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:54, Reason: Child Process
Unmonitor End Time: 00:01:55, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1334
Parent PID 0x13e4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 13F4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x001affff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff580000 0xff5b2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff580000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:37 (UTC) True 1
Fn
Get Time type = Ticks, time = 148278 True 1
Fn
Process #212: net.exe
0 0
»
Information Value
ID #212
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:54, Reason: Child Process
Unmonitor End Time: 00:01:57, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdd8
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1044
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #213: net1.exe
17 0
»
Information Value
ID #213
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:55, Reason: Child Process
Unmonitor End Time: 00:01:56, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf04
Parent PID 0x1390 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 13AC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff8a0000 0xff8d2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff8a0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:37 (UTC) True 1
Fn
Get Time type = Ticks, time = 148684 True 1
Fn
Process #214: net1.exe
17 0
»
Information Value
ID #214
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:55, Reason: Child Process
Unmonitor End Time: 00:01:56, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xcdc
Parent PID 0x12f0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CE8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff8a0000 0xff8d2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff8a0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:37 (UTC) True 1
Fn
Get Time type = Ticks, time = 148653 True 1
Fn
Process #215: net.exe
0 0
»
Information Value
ID #215
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLSERVER /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:55, Reason: Child Process
Unmonitor End Time: 00:01:57, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1064
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 13B8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #216: net1.exe
17 0
»
Information Value
ID #216
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:55, Reason: Child Process
Unmonitor End Time: 00:01:55, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x13e0
Parent PID 0x1354 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D80
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x0000000000510000 0x00510000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff8a0000 0xff8d2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff8a0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:38 (UTC) True 1
Fn
Get Time type = Ticks, time = 148918 True 1
Fn
Process #217: net.exe
0 0
»
Information Value
ID #217
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:55, Reason: Child Process
Unmonitor End Time: 00:01:57, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1020
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 13F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #218: net1.exe
17 0
»
Information Value
ID #218
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:55, Reason: Child Process
Unmonitor End Time: 00:01:56, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xb34
Parent PID 0x1368 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x00000000004d0000 0x004d0000 0x004dffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffef0000 0xfff22fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffef0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:38 (UTC) True 1
Fn
Get Time type = Ticks, time = 149464 True 1
Fn
Process #219: net1.exe
17 0
»
Information Value
ID #219
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:55, Reason: Child Process
Unmonitor End Time: 00:01:56, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf84
Parent PID 0xdd8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffef0000 0xfff22fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffef0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:38 (UTC) True 1
Fn
Get Time type = Ticks, time = 149417 True 1
Fn
Process #220: net.exe
0 0
»
Information Value
ID #220
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:55, Reason: Child Process
Unmonitor End Time: 00:02:00, Reason: Self Terminated
Monitor Duration 00:00:05
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1078
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1018
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #221: net.exe
0 0
»
Information Value
ID #221
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MySQL80 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:05
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1028
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C04
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x001dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #222: net.exe
0 0
»
Information Value
ID #222
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MySQL57 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:05
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x10b0
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CF8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #223: net1.exe
17 0
»
Information Value
ID #223
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:01:56, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x1264
Parent PID 0x1020 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F94
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffef0000 0xfff22fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffef0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:38 (UTC) True 1
Fn
Get Time type = Ticks, time = 149714 True 1
Fn
Process #224: net.exe
0 0
»
Information Value
ID #224
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ntrtscan /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:02:02, Reason: Self Terminated
Monitor Duration 00:00:06
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1050
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FB8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #225: net1.exe
17 0
»
Information Value
ID #225
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLSERVER /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:01:57, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x101c
Parent PID 0x1064 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 105C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
private_0x00000000005e0000 0x005e0000 0x005effff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffef0000 0xfff22fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffef0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:39 (UTC) True 1
Fn
Get Time type = Ticks, time = 149838 True 1
Fn
Process #226: net.exe
0 0
»
Information Value
ID #226
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop OracleClientCache80 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:05
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x10c4
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EA8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #227: net.exe
0 0
»
Information Value
ID #227
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop PDVFSService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:05
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1088
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #228: net.exe
0 0
»
Information Value
ID #228
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop POP3Svc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:05
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1040
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10C0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #229: net.exe
0 0
»
Information Value
ID #229
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ReportServer /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:01:57, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc84
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1014
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #230: net.exe
0 0
»
Information Value
ID #230
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1130
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1170
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #231: net.exe
0 0
»
Information Value
ID #231
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1070
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FC4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #232: net.exe
0 0
»
Information Value
ID #232
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ReportServer$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf90
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #233: net1.exe
17 0
»
Information Value
ID #233
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ReportServer /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:01:57, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1004
Parent PID 0xc84 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F10
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000cffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffaf0000 0xffb22fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffaf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:39 (UTC) True 1
Fn
Get Time type = Ticks, time = 150384 True 1
Fn
Process #234: net1.exe
17 0
»
Information Value
ID #234
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:01:57, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfa8
Parent PID 0x1130 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1038
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffaf0000 0xffb22fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffaf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:39 (UTC) True 1
Fn
Get Time type = Ticks, time = 150447 True 1
Fn
Process #235: net.exe
0 0
»
Information Value
ID #235
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:57, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x10ac
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A50
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #236: net.exe
0 0
»
Information Value
ID #236
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop RESvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:57, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x118c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1068
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #237: net1.exe
17 0
»
Information Value
ID #237
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ReportServer$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:57, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xa4c
Parent PID 0xf90 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffaf0000 0xffb22fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffaf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:40 (UTC) True 1
Fn
Get Time type = Ticks, time = 150759 True 1
Fn
Process #238: net1.exe
17 0
»
Information Value
ID #238
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:57, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x104c
Parent PID 0x1070 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EF8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
private_0x00000000004c0000 0x004c0000 0x004cffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffaf0000 0xffb22fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffaf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:40 (UTC) True 1
Fn
Get Time type = Ticks, time = 150821 True 1
Fn
Process #239: net.exe
0 0
»
Information Value
ID #239
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop sacsvr /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:57, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1080
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10CC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #240: net.exe
0 0
»
Information Value
ID #240
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SamSs /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:57, Reason: Child Process
Unmonitor End Time: 00:01:59, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1084
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11C8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #241: net1.exe
17 0
»
Information Value
ID #241
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:57, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc24
Parent PID 0x10ac (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1134
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
locale.nls 0x001d0000 0x00236fff Memory Mapped File r False False False -
private_0x0000000000280000 0x00280000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffaf0000 0xffb22fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffaf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:40 (UTC) True 1
Fn
Get Time type = Ticks, time = 151196 True 1
Fn
Process #242: net1.exe
17 0
»
Information Value
ID #242
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop RESvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:57, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1030
Parent PID 0x118c (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11C4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0033ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffaf0000 0xffb22fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffaf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:40 (UTC) True 1
Fn
Get Time type = Ticks, time = 151196 True 1
Fn
Process #243: net.exe
0 0
»
Information Value
ID #243
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SAVAdminService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:57, Reason: Child Process
Unmonitor End Time: 00:01:59, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x11d0
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11BC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #244: net.exe
0 0
»
Information Value
ID #244
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SAVService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:57, Reason: Child Process
Unmonitor End Time: 00:01:59, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x11e8
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AD8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #245: net1.exe
19 0
»
Information Value
ID #245
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SamSs /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:58, Reason: Child Process
Unmonitor End Time: 00:01:59, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x11e0
Parent PID 0x1084 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x ADC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffaf0000 0xffb22fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffaf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (4)
»
Operation Additional Information Success Count Logfile
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:40 (UTC) True 1
Fn
Get Time type = Ticks, time = 151601 True 1
Fn
Process #246: net1.exe
17 0
»
Information Value
ID #246
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop sacsvr /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:58, Reason: Child Process
Unmonitor End Time: 00:01:59, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x9b8
Parent PID 0x1080 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 98C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
locale.nls 0x001f0000 0x00256fff Memory Mapped File r False False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffaf0000 0xffb22fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffaf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:40 (UTC) True 1
Fn
Get Time type = Ticks, time = 151570 True 1
Fn
Process #247: net.exe
0 0
»
Information Value
ID #247
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SDRSVC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:58, Reason: Child Process
Unmonitor End Time: 00:01:59, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x11a8
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BD8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #248: net.exe
0 0
»
Information Value
ID #248
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SepMasterService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:58, Reason: Child Process
Unmonitor End Time: 00:02:00, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1200
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11F4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #249: net1.exe
17 0
»
Information Value
ID #249
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SAVService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:58, Reason: Child Process
Unmonitor End Time: 00:01:59, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x988
Parent PID 0x11e8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 878
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb70000 0xffba2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb70000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 152225 True 1
Fn
Process #250: net1.exe
17 0
»
Information Value
ID #250
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SAVAdminService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:58, Reason: Child Process
Unmonitor End Time: 00:01:59, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x998
Parent PID 0x11d0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 120C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb70000 0xffba2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb70000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 152241 True 1
Fn
Process #251: net.exe
0 0
»
Information Value
ID #251
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ShMonitor /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:58, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7fc
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 990
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #252: net1.exe
17 0
»
Information Value
ID #252
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SepMasterService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:01:59, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x414
Parent PID 0x1200 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8D0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff880000 0xff8b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff880000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 152522 True 1
Fn
Process #253: net1.exe
17 0
»
Information Value
ID #253
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:02:00, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1204
Parent PID 0x1078 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1214
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0006ffff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff880000 0xff8b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff880000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:42 (UTC) True 1
Fn
Get Time type = Ticks, time = 152756 True 1
Fn
Process #254: net1.exe
17 0
»
Information Value
ID #254
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MySQL57 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:02:00, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xbc4
Parent PID 0x10b0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B38
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff880000 0xff8b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff880000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:42 (UTC) True 1
Fn
Get Time type = Ticks, time = 153099 True 1
Fn
Process #255: net1.exe
17 0
»
Information Value
ID #255
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop OracleClientCache80 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:02:00, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xbe4
Parent PID 0x10c4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9FC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000500000 0x00500000 0x0050ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff880000 0xff8b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff880000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:42 (UTC) True 1
Fn
Get Time type = Ticks, time = 152818 True 1
Fn
Process #256: net.exe
0 0
»
Information Value
ID #256
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop Smcinst /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:02:02, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xaec
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C2C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #257: net1.exe
20 0
»
Information Value
ID #257
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SDRSVC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:01:59, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x950
Parent PID 0x11a8 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 94C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
locale.nls 0x00240000 0x002a6fff Memory Mapped File r False False False -
private_0x0000000000380000 0x00380000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff880000 0xff8b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 44 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff880000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = SDRSVC True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:42 (UTC) True 1
Fn
Get Time type = Ticks, time = 152974 True 1
Fn
Process #258: net.exe
0 0
»
Information Value
ID #258
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SmcService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:02:02, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8e0
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8AC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #259: net.exe
0 0
»
Information Value
ID #259
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SMTPSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:02:02, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa7c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 934
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #260: net1.exe
17 0
»
Information Value
ID #260
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MySQL80 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xb54
Parent PID 0x1028 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A88
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff80000 0xfffb2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:42 (UTC) True 1
Fn
Get Time type = Ticks, time = 153551 True 1
Fn
Process #261: net1.exe
17 0
»
Information Value
ID #261
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ShMonitor /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xaa0
Parent PID 0x7fc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8E8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000cffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff80000 0xfffb2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:42 (UTC) True 1
Fn
Get Time type = Ticks, time = 153582 True 1
Fn
Process #262: net1.exe
17 0
»
Information Value
ID #262
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop PDVFSService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x884
Parent PID 0x1088 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 10C8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
locale.nls 0x00270000 0x002d6fff Memory Mapped File r False False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff80000 0xfffb2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:42 (UTC) True 1
Fn
Get Time type = Ticks, time = 153614 True 1
Fn
Process #263: net.exe
0 0
»
Information Value
ID #263
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SNAC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:00, Reason: Child Process
Unmonitor End Time: 00:02:02, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x6dc
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1140
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #264: net1.exe
17 0
»
Information Value
ID #264
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop POP3Svc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:00, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x121c
Parent PID 0x1040 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 7F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000004c0000 0x004c0000 0x004cffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff80000 0xfffb2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 154035 True 1
Fn
Process #265: net1.exe
17 0
»
Information Value
ID #265
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ntrtscan /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:00, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc30
Parent PID 0x1050 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B30
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0018ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff80000 0xfffb2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 154035 True 1
Fn
Process #266: net1.exe
17 0
»
Information Value
ID #266
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SmcService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:00, Reason: Child Process
Unmonitor End Time: 00:02:02, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x920
Parent PID 0x8e0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x0000000000620000 0x00620000 0x0062ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff80000 0xfffb2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 154300 True 1
Fn
Process #267: net1.exe
17 0
»
Information Value
ID #267
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop Smcinst /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:00, Reason: Child Process
Unmonitor End Time: 00:02:02, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xb50
Parent PID 0xaec (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 960
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0008ffff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff80000 0xfffb2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 154206 True 1
Fn
Process #268: net.exe
0 0
»
Information Value
ID #268
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SntpService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:00, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x96c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B68
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #269: net.exe
0 0
»
Information Value
ID #269
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop sophossps /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:00, Reason: Child Process
Unmonitor End Time: 00:02:02, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa1c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #270: net1.exe
17 0
»
Information Value
ID #270
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SNAC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:01, Reason: Child Process
Unmonitor End Time: 00:02:02, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x898
Parent PID 0x6dc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 4E0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff80000 0xfffb2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 154596 True 1
Fn
Process #271: net1.exe
17 0
»
Information Value
ID #271
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SMTPSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:01, Reason: Child Process
Unmonitor End Time: 00:02:02, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc14
Parent PID 0xa7c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A64
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0023ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff80000 0xfffb2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 154690 True 1
Fn
Process #272: net.exe
0 0
»
Information Value
ID #272
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:01, Reason: Child Process
Unmonitor End Time: 00:02:02, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd78
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DAC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #273: net1.exe
17 0
»
Information Value
ID #273
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SntpService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:01, Reason: Child Process
Unmonitor End Time: 00:02:01, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x854
Parent PID 0x96c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffae0000 0xffb12fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffae0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:44 (UTC) True 1
Fn
Get Time type = Ticks, time = 154908 True 1
Fn
Process #274: net.exe
0 0
»
Information Value
ID #274
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:01, Reason: Child Process
Unmonitor End Time: 00:02:03, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x80c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #275: net1.exe
17 0
»
Information Value
ID #275
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop sophossps /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:01, Reason: Child Process
Unmonitor End Time: 00:02:02, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf0
Parent PID 0xa1c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C9C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff520000 0xff552fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff520000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:44 (UTC) True 1
Fn
Get Time type = Ticks, time = 155330 True 1
Fn
Process #276: net.exe
0 0
»
Information Value
ID #276
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:01, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xecc
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x ED0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #277: net1.exe
17 0
»
Information Value
ID #277
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:01, Reason: Child Process
Unmonitor End Time: 00:02:02, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xd4c
Parent PID 0xd78 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff520000 0xff552fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff520000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:44 (UTC) True 1
Fn
Get Time type = Ticks, time = 155454 True 1
Fn
Process #278: net.exe
0 0
»
Information Value
ID #278
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:02, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa9c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D28
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000120000 0x00120000 0x0021ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #279: net.exe
0 0
»
Information Value
ID #279
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:02, Reason: Child Process
Unmonitor End Time: 00:02:03, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd0c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 968
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #280: net.exe
0 0
»
Information Value
ID #280
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:02, Reason: Child Process
Unmonitor End Time: 00:02:03, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xab0
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #281: net.exe
0 0
»
Information Value
ID #281
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:02, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x860
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F44
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #282: net1.exe
17 0
»
Information Value
ID #282
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:02, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x82c
Parent PID 0x80c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F98
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x001affff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff790000 0xff7c2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff790000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:45 (UTC) True 1
Fn
Get Time type = Ticks, time = 155876 True 1
Fn
Process #283: net.exe
0 0
»
Information Value
ID #283
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:02, Reason: Child Process
Unmonitor End Time: 00:02:03, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfe0
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 814
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #284: net1.exe
17 0
»
Information Value
ID #284
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:02, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xfd8
Parent PID 0xecc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 858
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff790000 0xff7c2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff790000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:45 (UTC) True 1
Fn
Get Time type = Ticks, time = 156391 True 1
Fn
Process #285: net1.exe
17 0
»
Information Value
ID #285
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:02, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xca4
Parent PID 0xab0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CA8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0031ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff790000 0xff7c2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff790000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:45 (UTC) True 1
Fn
Get Time type = Ticks, time = 156422 True 1
Fn
Process #286: net1.exe
17 0
»
Information Value
ID #286
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:02, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xc28
Parent PID 0xd0c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 824
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff790000 0xff7c2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff790000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:45 (UTC) True 1
Fn
Get Time type = Ticks, time = 156281 True 1
Fn
Process #287: net1.exe
17 0
»
Information Value
ID #287
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:02, Reason: Child Process
Unmonitor End Time: 00:02:03, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x8a4
Parent PID 0xa9c (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 894
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0023ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff790000 0xff7c2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff790000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:45 (UTC) True 1
Fn
Get Time type = Ticks, time = 156469 True 1
Fn
Process #288: net.exe
0 0
»
Information Value
ID #288
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:02, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf3c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #289: net.exe
0 0
»
Information Value
ID #289
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:03, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe48
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 900
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x001fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #290: net.exe
0 0
»
Information Value
ID #290
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:03, Reason: Child Process
Unmonitor End Time: 00:02:05, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9c8
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 904
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000120000 0x00120000 0x0021ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #291: net1.exe
17 0
»
Information Value
ID #291
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:03, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x61c
Parent PID 0x860 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CCC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0028ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff6a0000 0xff6d2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff6a0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:46 (UTC) True 1
Fn
Get Time type = Ticks, time = 157015 True 1
Fn
Process #292: net1.exe
17 0
»
Information Value
ID #292
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:03, Reason: Child Process
Unmonitor End Time: 00:02:03, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xd38
Parent PID 0xfe0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff6a0000 0xff6d2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff6a0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:46 (UTC) True 1
Fn
Get Time type = Ticks, time = 156952 True 1
Fn
Process #293: net.exe
0 0
»
Information Value
ID #293
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:03, Reason: Child Process
Unmonitor End Time: 00:02:05, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc68
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E20
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000220000 0x00220000 0x0022ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #294: net1.exe
17 0
»
Information Value
ID #294
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$TPS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:03, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xd44
Parent PID 0xe48 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E38
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff6a0000 0xff6d2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff6a0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:46 (UTC) True 1
Fn
Get Time type = Ticks, time = 157280 True 1
Fn
Process #295: net1.exe
17 0
»
Information Value
ID #295
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:03, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe68
Parent PID 0xf3c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D6C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x00000000005b0000 0x005b0000 0x005bffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff6a0000 0xff6d2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff6a0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:46 (UTC) True 1
Fn
Get Time type = Ticks, time = 157311 True 1
Fn
Process #296: net.exe
0 0
»
Information Value
ID #296
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:03, Reason: Child Process
Unmonitor End Time: 00:02:05, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdb8
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #297: net.exe
0 0
»
Information Value
ID #297
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLBrowser /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:04, Reason: Child Process
Unmonitor End Time: 00:02:07, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdb0
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CC0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #298: net1.exe
17 0
»
Information Value
ID #298
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:04, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x84c
Parent PID 0x9c8 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E24
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffc00000 0xffc32fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffc00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:46 (UTC) True 1
Fn
Get Time type = Ticks, time = 157623 True 1
Fn
Process #299: net.exe
0 0
»
Information Value
ID #299
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLSafeOLRService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:04, Reason: Child Process
Unmonitor End Time: 00:02:05, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x928
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C64
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x0022ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #300: net.exe
0 0
»
Information Value
ID #300
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:04, Reason: Child Process
Unmonitor End Time: 00:02:06, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd74
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D90
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0057ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #301: net.exe
0 0
»
Information Value
ID #301
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLTELEMETRY /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:04, Reason: Child Process
Unmonitor End Time: 00:02:06, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe94
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #302: net1.exe
17 0
»
Information Value
ID #302
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:04, Reason: Child Process
Unmonitor End Time: 00:02:05, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xeb0
Parent PID 0xc68 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F6C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
locale.nls 0x00280000 0x002e6fff Memory Mapped File r False False False -
private_0x00000000003a0000 0x003a0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff680000 0xff6b2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff680000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:47 (UTC) True 1
Fn
Get Time type = Ticks, time = 158231 True 1
Fn
Process #303: net1.exe
17 0
»
Information Value
ID #303
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:04, Reason: Child Process
Unmonitor End Time: 00:02:05, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf88
Parent PID 0xdb8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0027ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff680000 0xff6b2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff680000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:47 (UTC) True 1
Fn
Get Time type = Ticks, time = 158091 True 1
Fn
Process #304: net1.exe
17 0
»
Information Value
ID #304
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLSafeOLRService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:04, Reason: Child Process
Unmonitor End Time: 00:02:05, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xee0
Parent PID 0x928 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F74
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0036ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff680000 0xff6b2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefb6e0000 0x7fefb6f1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff680000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:47 (UTC) True 1
Fn
Get Time type = Ticks, time = 158153 True 1
Fn
Process #305: net.exe
0 0
»
Information Value
ID #305
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:04, Reason: Child Process
Unmonitor End Time: 00:02:06, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc48
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #306: net.exe
0 0
»
Information Value
ID #306
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLWriter /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:04, Reason: Child Process
Unmonitor End Time: 00:02:06, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x808
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EDC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #307: net1.exe
17 0
»
Information Value
ID #307
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLTELEMETRY /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:05, Reason: Child Process
Unmonitor End Time: 00:02:05, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xe64
Parent PID 0xe94 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EC8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff6c0000 0xff6f2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff6c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:47 (UTC) True 1
Fn
Get Time type = Ticks, time = 158684 True 1
Fn
Process #308: net1.exe
17 0
»
Information Value
ID #308
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLSERVERAGENT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:05, Reason: Child Process
Unmonitor End Time: 00:02:05, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xed4
Parent PID 0xd74 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff6c0000 0xff6f2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff6c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:47 (UTC) True 1
Fn
Get Time type = Ticks, time = 158715 True 1
Fn
Process #309: net1.exe
17 0
»
Information Value
ID #309
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLBrowser /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:05, Reason: Child Process
Unmonitor End Time: 00:02:06, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xef0
Parent PID 0xdb0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x0040ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff6c0000 0xff6f2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff6c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:47 (UTC) True 1
Fn
Get Time type = Ticks, time = 158731 True 1
Fn
Process #310: net.exe
0 0
»
Information Value
ID #310
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SstpSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:05, Reason: Child Process
Unmonitor End Time: 00:02:07, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x92c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AFC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #311: net.exe
0 0
»
Information Value
ID #311
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop svcGenericHost /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:05, Reason: Child Process
Unmonitor End Time: 00:02:07, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x908
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #312: net1.exe
17 0
»
Information Value
ID #312
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLWriter /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:05, Reason: Child Process
Unmonitor End Time: 00:02:06, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf14
Parent PID 0x808 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F64
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
locale.nls 0x00280000 0x002e6fff Memory Mapped File r False False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffeb0000 0xffee2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffeb0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 159058 True 1
Fn
Process #313: net1.exe
17 0
»
Information Value
ID #313
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:05, Reason: Child Process
Unmonitor End Time: 00:02:06, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc08
Parent PID 0xc48 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x002affff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffeb0000 0xffee2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffeb0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 159089 True 1
Fn
Process #314: net.exe
0 0
»
Information Value
ID #314
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop swi_service /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:05, Reason: Child Process
Unmonitor End Time: 00:02:06, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe3c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x ACC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #315: net1.exe
17 0
»
Information Value
ID #315
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop svcGenericHost /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:05, Reason: Child Process
Unmonitor End Time: 00:02:07, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xdc0
Parent PID 0x908 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe70000 0xffea2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe70000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 159448 True 1
Fn
Process #316: net1.exe
20 0
»
Information Value
ID #316
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SstpSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:05, Reason: Child Process
Unmonitor End Time: 00:02:07, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xe54
Parent PID 0x92c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DF4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
private_0x00000000006b0000 0x006b0000 0x006bffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe70000 0xffea2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 70 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe70000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = SSTPSVC True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 159448 True 1
Fn
Process #317: net.exe
0 0
»
Information Value
ID #317
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop swi_update_64 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:06, Reason: Child Process
Unmonitor End Time: 00:02:07, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x115c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DE4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0017ffff Private Memory rw True False False -
locale.nls 0x00180000 0x001e6fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0031ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #318: net.exe
0 0
»
Information Value
ID #318
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop TmCCSF /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:06, Reason: Child Process
Unmonitor End Time: 00:02:07, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x890
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1100
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #319: net1.exe
17 0
»
Information Value
ID #319
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop swi_service /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:06, Reason: Child Process
Unmonitor End Time: 00:02:06, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xd40
Parent PID 0xe3c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DC4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000230000 0x00230000 0x0023ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff850000 0xff882fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
browcli.dll 0x7fef8ed0000 0x7fef8ee1fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff850000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:49 (UTC) True 1
Fn
Get Time type = Ticks, time = 159807 True 1
Fn
Process #320: net.exe
0 0
»
Information Value
ID #320
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop tmlisten /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:06, Reason: Child Process
Unmonitor End Time: 00:02:08, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdf0
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #321: net.exe
0 0
»
Information Value
ID #321
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop TrueKey /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:06, Reason: Child Process
Unmonitor End Time: 00:02:08, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x95c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 578
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0005ffff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #322: net1.exe
17 0
»
Information Value
ID #322
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop swi_update_64 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:06, Reason: Child Process
Unmonitor End Time: 00:02:07, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x79c
Parent PID 0x115c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BA0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000570000 0x00570000 0x0057ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd10000 0xffd42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:49 (UTC) True 1
Fn
Get Time type = Ticks, time = 160291 True 1
Fn
Process #323: net1.exe
17 0
»
Information Value
ID #323
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop TmCCSF /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:06, Reason: Child Process
Unmonitor End Time: 00:02:07, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x8b8
Parent PID 0x890 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 958
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x0017ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd10000 0xffd42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:49 (UTC) True 1
Fn
Get Time type = Ticks, time = 160322 True 1
Fn
Process #324: net.exe
0 0
»
Information Value
ID #324
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop TrueKeyScheduler /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:07, Reason: Child Process
Unmonitor End Time: 00:02:08, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd04
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BE8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #325: net.exe
0 0
»
Information Value
ID #325
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:07, Reason: Child Process
Unmonitor End Time: 00:02:08, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1198
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12D0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #326: net.exe
0 0
»
Information Value
ID #326
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop UI0Detect /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:07, Reason: Child Process
Unmonitor End Time: 00:02:08, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x540
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BB0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #327: net.exe
0 0
»
Information Value
ID #327
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamBackupSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:07, Reason: Child Process
Unmonitor End Time: 00:02:09, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb44
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 820
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #328: net1.exe
17 0
»
Information Value
ID #328
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop TrueKey /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:07, Reason: Child Process
Unmonitor End Time: 00:02:08, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x91c
Parent PID 0x95c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1178
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x001bffff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa10000 0xffa42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 161273 True 1
Fn
Process #329: net1.exe
17 0
»
Information Value
ID #329
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop tmlisten /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:07, Reason: Child Process
Unmonitor End Time: 00:02:08, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x404
Parent PID 0xdf0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1284
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x001fffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa10000 0xffa42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 161305 True 1
Fn
Process #330: net1.exe
17 0
»
Information Value
ID #330
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop TrueKeyScheduler /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:07, Reason: Child Process
Unmonitor End Time: 00:02:09, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xb3c
Parent PID 0xd04 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8B0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
locale.nls 0x00270000 0x002d6fff Memory Mapped File r False False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000004c0000 0x004c0000 0x004cffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa10000 0xffa42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 161336 True 1
Fn
Process #331: net1.exe
17 0
»
Information Value
ID #331
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:07, Reason: Child Process
Unmonitor End Time: 00:02:08, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x11a4
Parent PID 0x1198 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1310
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x001fffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
netmsg.dll 0x75270000 0x75271fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa10000 0xffa42fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75270000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa10000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 161149 True 1
Fn
Process #332: net.exe
0 0
»
Information Value
ID #332
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:07, Reason: Child Process
Unmonitor End Time: 00:02:09, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x12fc
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12D8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #333: net.exe
0 0
»
Information Value
ID #333
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:08, Reason: Child Process
Unmonitor End Time: 00:02:09, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1160
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12A4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #334: net1.exe
17 0
»
Information Value
ID #334
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamBackupSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:08, Reason: Child Process
Unmonitor End Time: 00:02:08, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x1308
Parent PID 0xb44 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12B8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe70000 0xffea2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe70000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:51 (UTC) True 1
Fn
Get Time type = Ticks, time = 161866 True 1
Fn
Process #335: net1.exe
20 0
»
Information Value
ID #335
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop UI0Detect /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:08, Reason: Child Process
Unmonitor End Time: 00:02:09, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xb5c
Parent PID 0x540 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 93C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
locale.nls 0x00280000 0x002e6fff Memory Mapped File r False False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe70000 0xffea2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 60 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe70000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = UI0DETECT True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 161695 True 1
Fn
Process #336: net.exe
0 0
»
Information Value
ID #336
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamCloudSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:08, Reason: Child Process
Unmonitor End Time: 00:02:09, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x10e0
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12C4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #337: net.exe
0 0
»
Information Value
ID #337
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamDeploymentService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:08, Reason: Child Process
Unmonitor End Time: 00:02:09, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8a8
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1174
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #338: net1.exe
17 0
»
Information Value
ID #338
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamBrokerSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:08, Reason: Child Process
Unmonitor End Time: 00:02:09, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1358
Parent PID 0x12fc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 810
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x0030ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff410000 0xff442fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff410000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:51 (UTC) True 1
Fn
Get Time type = Ticks, time = 162256 True 1
Fn
Process #339: net1.exe
17 0
»
Information Value
ID #339
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamCatalogSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:08, Reason: Child Process
Unmonitor End Time: 00:02:09, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x13dc
Parent PID 0x1160 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C3C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x00000000004d0000 0x004d0000 0x004dffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff410000 0xff442fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff410000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:51 (UTC) True 1
Fn
Get Time type = Ticks, time = 162163 True 1
Fn
Process #340: net.exe
0 0
»
Information Value
ID #340
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamDeploySvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:08, Reason: Child Process
Unmonitor End Time: 00:02:10, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x13d4
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 119C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #341: net.exe
0 0
»
Information Value
ID #341
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:08, Reason: Child Process
Unmonitor End Time: 00:02:10, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x13c8
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1384
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #342: net.exe
0 0
»
Information Value
ID #342
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamMountSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:09, Reason: Child Process
Unmonitor End Time: 00:02:10, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1188
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1288
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #343: net1.exe
17 0
»
Information Value
ID #343
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamCloudSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:09, Reason: Child Process
Unmonitor End Time: 00:02:09, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x12b0
Parent PID 0x10e0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 81C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
locale.nls 0x00240000 0x002a6fff Memory Mapped File r False False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa40000 0xffa72fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:51 (UTC) True 1
Fn
Get Time type = Ticks, time = 162599 True 1
Fn
Process #344: net1.exe
17 0
»
Information Value
ID #344
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamDeploymentService /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:09, Reason: Child Process
Unmonitor End Time: 00:02:09, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x12e4
Parent PID 0x8a8 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12C8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa40000 0xffa72fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:51 (UTC) True 1
Fn
Get Time type = Ticks, time = 162724 True 1
Fn
Process #345: net.exe
0 0
»
Information Value
ID #345
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamNFSSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:09, Reason: Child Process
Unmonitor End Time: 00:02:10, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xac0
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1270
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #346: net.exe
0 0
»
Information Value
ID #346
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamRESTSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:09, Reason: Child Process
Unmonitor End Time: 00:02:11, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1344
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1330
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #347: net.exe
0 0
»
Information Value
ID #347
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamTransportSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:09, Reason: Child Process
Unmonitor End Time: 00:02:10, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1348
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 13F4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #348: net.exe
0 0
»
Information Value
ID #348
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop W3Svc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:09, Reason: Child Process
Unmonitor End Time: 00:02:11, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1360
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 13B0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #349: net1.exe
17 0
»
Information Value
ID #349
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:09, Reason: Child Process
Unmonitor End Time: 00:02:09, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x136c
Parent PID 0x13c8 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 130C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
private_0x0000000000530000 0x00530000 0x0053ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff660000 0xff692fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff660000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 163145 True 1
Fn
Process #350: net1.exe
17 0
»
Information Value
ID #350
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamDeploySvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:09, Reason: Child Process
Unmonitor End Time: 00:02:10, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1370
Parent PID 0x13d4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1380
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff660000 0xff692fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff660000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 163208 True 1
Fn
Process #351: net1.exe
17 0
»
Information Value
ID #351
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamNFSSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:09, Reason: Child Process
Unmonitor End Time: 00:02:10, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x13cc
Parent PID 0xac0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1398
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff660000 0xff692fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff660000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 163379 True 1
Fn
Process #352: net.exe
0 0
»
Information Value
ID #352
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop wbengine /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:09, Reason: Child Process
Unmonitor End Time: 00:02:11, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc38
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 13E4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #353: net1.exe
17 0
»
Information Value
ID #353
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamMountSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:09, Reason: Child Process
Unmonitor End Time: 00:02:10, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc34
Parent PID 0x1188 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1394
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x0000000000560000 0x00560000 0x0056ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff660000 0xff692fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff660000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 163613 True 1
Fn
Process #354: net.exe
0 0
»
Information Value
ID #354
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop WRSVC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:10, Reason: Child Process
Unmonitor End Time: 00:02:12, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x13b4
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CDC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #355: net1.exe
17 0
»
Information Value
ID #355
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamTransportSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:10, Reason: Child Process
Unmonitor End Time: 00:02:11, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfec
Parent PID 0x1348 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 13E0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
private_0x00000000005e0000 0x005e0000 0x005effff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff660000 0xff692fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff660000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 163723 True 1
Fn
Process #356: net.exe
0 0
»
Information Value
ID #356
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:10, Reason: Child Process
Unmonitor End Time: 00:02:12, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x13bc
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FF4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #357: net1.exe
17 0
»
Information Value
ID #357
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamRESTSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:10, Reason: Child Process
Unmonitor End Time: 00:02:10, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x1390
Parent PID 0x1344 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1374
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x0000000000520000 0x00520000 0x0052ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff660000 0xff692fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff660000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:53 (UTC) True 1
Fn
Get Time type = Ticks, time = 163832 True 1
Fn
Process #358: net1.exe
20 0
»
Information Value
ID #358
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop wbengine /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:10, Reason: Child Process
Unmonitor End Time: 00:02:11, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1008
Parent PID 0xc38 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1350
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff990000 0xff9c2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 63 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff990000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = WBENGINE True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:53 (UTC) True 1
Fn
Get Time type = Ticks, time = 164128 True 1
Fn
Process #359: net1.exe
17 0
»
Information Value
ID #359
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop W3Svc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:10, Reason: Child Process
Unmonitor End Time: 00:02:11, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1094
Parent PID 0x1360 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E98
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff990000 0xff9c2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff990000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:53 (UTC) True 1
Fn
Get Time type = Ticks, time = 164144 True 1
Fn
Process #360: net.exe
0 0
»
Information Value
ID #360
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:10, Reason: Child Process
Unmonitor End Time: 00:02:12, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x100c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CC4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #361: net.exe
0 0
»
Information Value
ID #361
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:10, Reason: Child Process
Unmonitor End Time: 00:02:11, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfb4
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #362: net1.exe
17 0
»
Information Value
ID #362
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop WRSVC /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:10, Reason: Child Process
Unmonitor End Time: 00:02:11, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x105c
Parent PID 0x13b4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1264
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0031ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff70000 0xfffa2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff70000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:53 (UTC) True 1
Fn
Get Time type = Ticks, time = 164393 True 1
Fn
Process #363: net1.exe
17 0
»
Information Value
ID #363
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:11, Reason: Child Process
Unmonitor End Time: 00:02:11, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x101c
Parent PID 0x100c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 133C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff130000 0xff162fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff130000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:53 (UTC) True 1
Fn
Get Time type = Ticks, time = 164643 True 1
Fn
Process #364: net1.exe
17 0
»
Information Value
ID #364
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:11, Reason: Child Process
Unmonitor End Time: 00:02:12, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x103c
Parent PID 0x13bc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 102C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff130000 0xff162fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff130000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:53 (UTC) True 1
Fn
Get Time type = Ticks, time = 164612 True 1
Fn
Process #365: net.exe
0 0
»
Information Value
ID #365
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop swi_update /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:11, Reason: Child Process
Unmonitor End Time: 00:02:13, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfe4
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1368
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #366: net.exe
0 0
»
Information Value
ID #366
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:11, Reason: Child Process
Unmonitor End Time: 00:02:12, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdd8
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 13F8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
private_0x00000000006c0000 0x006c0000 0x006cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #367: net1.exe
17 0
»
Information Value
ID #367
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:11, Reason: Child Process
Unmonitor End Time: 00:02:11, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xc6c
Parent PID 0xfb4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 108C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff260000 0xff292fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff260000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 164893 True 1
Fn
Process #368: net.exe
0 0
»
Information Value
ID #368
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:11, Reason: Child Process
Unmonitor End Time: 00:02:13, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1064
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #369: net.exe
0 0
»
Information Value
ID #369
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "SQL Backups" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:11, Reason: Child Process
Unmonitor End Time: 00:02:13, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd48
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1004
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000230000 0x00230000 0x0023ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #370: net1.exe
17 0
»
Information Value
ID #370
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$CXDB /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:11, Reason: Child Process
Unmonitor End Time: 00:02:12, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1038
Parent PID 0xdd8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11C0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa80000 0xffab2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 165345 True 1
Fn
Process #371: net1.exe
17 0
»
Information Value
ID #371
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop swi_update /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:11, Reason: Child Process
Unmonitor End Time: 00:02:12, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfa8
Parent PID 0xfe4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa80000 0xffab2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 165407 True 1
Fn
Process #372: net.exe
0 0
»
Information Value
ID #372
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$PROD /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:12, Reason: Child Process
Unmonitor End Time: 00:02:13, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1058
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EF8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #373: net.exe
0 0
»
Information Value
ID #373
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:12, Reason: Child Process
Unmonitor End Time: 00:02:13, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x104c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1114
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #374: net1.exe
17 0
»
Information Value
ID #374
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "SQL Backups" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:12, Reason: Child Process
Unmonitor End Time: 00:02:13, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x11c4
Parent PID 0xd48 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B08
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0028ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffc20000 0xffc52fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffc20000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 165673 True 1
Fn
Process #375: net1.exe
17 0
»
Information Value
ID #375
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:12, Reason: Child Process
Unmonitor End Time: 00:02:13, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc24
Parent PID 0x1064 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1030
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffc20000 0xffc52fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffc20000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 165641 True 1
Fn
Process #376: net.exe
0 0
»
Information Value
ID #376
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:12, Reason: Child Process
Unmonitor End Time: 00:02:14, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfa4
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1170
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #377: net.exe
0 0
»
Information Value
ID #377
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$PROD /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:12, Reason: Child Process
Unmonitor End Time: 00:02:14, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1068
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x ADC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000cffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #378: net1.exe
17 0
»
Information Value
ID #378
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:12, Reason: Child Process
Unmonitor End Time: 00:02:13, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x109c
Parent PID 0x104c (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FAC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffc50000 0xffc82fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffc50000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:55 (UTC) True 1
Fn
Get Time type = Ticks, time = 166063 True 1
Fn
Process #379: net1.exe
17 0
»
Information Value
ID #379
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$PROD /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:12, Reason: Child Process
Unmonitor End Time: 00:02:13, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x11e0
Parent PID 0x1058 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9B8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
locale.nls 0x00260000 0x002c6fff Memory Mapped File r False False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x00000000004c0000 0x004c0000 0x004cffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffc50000 0xffc82fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffc50000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:55 (UTC) True 1
Fn
Get Time type = Ticks, time = 166078 True 1
Fn
Process #380: net.exe
0 0
»
Information Value
ID #380
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop msftesql$PROD /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:12, Reason: Child Process
Unmonitor End Time: 00:02:14, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa48
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 118C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #381: net.exe
0 0
»
Information Value
ID #381
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop NetMsmqActivator /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:12, Reason: Child Process
Unmonitor End Time: 00:02:14, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1130
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1108
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #382: net1.exe
17 0
»
Information Value
ID #382
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLServerADHelper /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:13, Reason: Child Process
Unmonitor End Time: 00:02:14, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x10d8
Parent PID 0xfa4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1080
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff1f0000 0xff222fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff1f0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:55 (UTC) True 1
Fn
Get Time type = Ticks, time = 166515 True 1
Fn
Process #383: net1.exe
17 0
»
Information Value
ID #383
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$PROD /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:13, Reason: Child Process
Unmonitor End Time: 00:02:14, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x111c
Parent PID 0x1068 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0021ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff1f0000 0xff222fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff1f0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:55 (UTC) True 1
Fn
Get Time type = Ticks, time = 166546 True 1
Fn
Process #384: net.exe
0 0
»
Information Value
ID #384
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop EhttpSrv /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:13, Reason: Child Process
Unmonitor End Time: 00:02:14, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1144
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 120C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #385: net.exe
0 0
»
Information Value
ID #385
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ekrn /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:13, Reason: Child Process
Unmonitor End Time: 00:02:14, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x998
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #386: net1.exe
20 0
»
Information Value
ID #386
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop NetMsmqActivator /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:13, Reason: Child Process
Unmonitor End Time: 00:02:14, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xad8
Parent PID 0x1130 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 888
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
private_0x0000000000360000 0x00360000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff050000 0xff082fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 55 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff050000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = NETMSMQACTIVATOR True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:56 (UTC) True 1
Fn
Get Time type = Ticks, time = 166921 True 1
Fn
Process #387: net1.exe
17 0
»
Information Value
ID #387
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop msftesql$PROD /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:13, Reason: Child Process
Unmonitor End Time: 00:02:14, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xb00
Parent PID 0xa48 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11E8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
private_0x0000000000540000 0x00540000 0x0054ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff050000 0xff082fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff050000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:56 (UTC) True 1
Fn
Get Time type = Ticks, time = 166921 True 1
Fn
Process #388: net.exe
0 0
»
Information Value
ID #388
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ESHASRV /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:13, Reason: Child Process
Unmonitor End Time: 00:02:14, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1168
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1210
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #389: net.exe
0 0
»
Information Value
ID #389
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:13, Reason: Child Process
Unmonitor End Time: 00:02:14, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x798
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11DC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #390: net1.exe
17 0
»
Information Value
ID #390
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ekrn /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:13, Reason: Child Process
Unmonitor End Time: 00:02:15, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xb7c
Parent PID 0x998 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11F4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff5a0000 0xff5d2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff5a0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:56 (UTC) True 1
Fn
Get Time type = Ticks, time = 167264 True 1
Fn
Process #391: net1.exe
17 0
»
Information Value
ID #391
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop EhttpSrv /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:13, Reason: Child Process
Unmonitor End Time: 00:02:14, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x94c
Parent PID 0x1144 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 1200
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0025ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff5a0000 0xff5d2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff5a0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:56 (UTC) True 1
Fn
Get Time type = Ticks, time = 167264 True 1
Fn
Process #392: net.exe
0 0
»
Information Value
ID #392
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:13, Reason: Child Process
Unmonitor End Time: 00:02:15, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8d8
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 950
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000120000 0x00120000 0x0021ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #393: net.exe
0 0
»
Information Value
ID #393
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop AVP /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:14, Reason: Child Process
Unmonitor End Time: 00:02:15, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9fc
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A6C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #394: net1.exe
17 0
»
Information Value
ID #394
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:14, Reason: Child Process
Unmonitor End Time: 00:02:15, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1204
Parent PID 0x798 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 11F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
private_0x0000000000300000 0x00300000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff810000 0xff842fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff810000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:56 (UTC) True 1
Fn
Get Time type = Ticks, time = 167545 True 1
Fn
Process #395: net1.exe
17 0
»
Information Value
ID #395
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ESHASRV /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:14, Reason: Child Process
Unmonitor End Time: 00:02:14, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x49c
Parent PID 0x1168 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 7C8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000a0000 0x000a0000 0x000affff Private Memory rw True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff810000 0xff842fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff810000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:56 (UTC) True 1
Fn
Get Time type = Ticks, time = 167669 True 1
Fn
Process #396: net.exe
0 0
»
Information Value
ID #396
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop klnagent /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:14, Reason: Child Process
Unmonitor End Time: 00:02:15, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x474
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 604
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #397: net.exe
0 0
»
Information Value
ID #397
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:14, Reason: Child Process
Unmonitor End Time: 00:02:16, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xea8
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 974
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #398: net1.exe
17 0
»
Information Value
ID #398
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:14, Reason: Child Process
Unmonitor End Time: 00:02:15, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x948
Parent PID 0x8d8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8E8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0041ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff810000 0xff842fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff810000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:57 (UTC) True 1
Fn
Get Time type = Ticks, time = 167935 True 1
Fn
Process #399: net1.exe
17 0
»
Information Value
ID #399
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop AVP /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:14, Reason: Child Process
Unmonitor End Time: 00:02:14, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x8d4
Parent PID 0x9fc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff810000 0xff842fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4900000 0x7fef4911fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff810000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:57 (UTC) True 1
Fn
Get Time type = Ticks, time = 167903 True 1
Fn
Process #400: net.exe
0 0
»
Information Value
ID #400
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:14, Reason: Child Process
Unmonitor End Time: 00:02:16, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb78
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 830
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #401: net.exe
0 0
»
Information Value
ID #401
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop wbengine /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:14, Reason: Child Process
Unmonitor End Time: 00:02:16, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7f0
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 918
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #402: net1.exe
17 0
»
Information Value
ID #402
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop klnagent /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:14, Reason: Child Process
Unmonitor End Time: 00:02:15, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xbb8
Parent PID 0x474 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C04
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff190000 0xff1c2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff190000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:57 (UTC) True 1
Fn
Get Time type = Ticks, time = 168262 True 1
Fn
Process #403: net.exe
0 0
»
Information Value
ID #403
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop kavfsslp /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:14, Reason: Child Process
Unmonitor End Time: 00:02:17, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xac4
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8B4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #404: net1.exe
17 0
»
Information Value
ID #404
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:15, Reason: Child Process
Unmonitor End Time: 00:02:15, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xa98
Parent PID 0xea8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 170
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x00000000004b0000 0x004b0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffdf0000 0xffe22fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffdf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:57 (UTC) True 1
Fn
Get Time type = Ticks, time = 168481 True 1
Fn
Process #405: net1.exe
17 0
»
Information Value
ID #405
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:15, Reason: Child Process
Unmonitor End Time: 00:02:15, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xfb8
Parent PID 0xb78 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 288
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000cffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffdf0000 0xffe22fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffdf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:57 (UTC) True 1
Fn
Get Time type = Ticks, time = 168621 True 1
Fn
Process #406: net.exe
0 0
»
Information Value
ID #406
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop KAVFSGT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:15, Reason: Child Process
Unmonitor End Time: 00:02:18, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8c4
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C2C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000100000 0x00100000 0x001fffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #407: net.exe
0 0
»
Information Value
ID #407
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop KAVFS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:15, Reason: Child Process
Unmonitor End Time: 00:02:18, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x2e0
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 660
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #408: net1.exe
20 0
»
Information Value
ID #408
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop wbengine /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:15, Reason: Child Process
Unmonitor End Time: 00:02:16, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xb20
Parent PID 0x7f0 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 944
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffc40000 0xffc72fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 63 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffc40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = WBENGINE True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:58 (UTC) True 1
Fn
Get Time type = Ticks, time = 168871 True 1
Fn
Process #409: net1.exe
17 0
»
Information Value
ID #409
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop kavfsslp /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:15, Reason: Child Process
Unmonitor End Time: 00:02:17, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x7f4
Parent PID 0xac4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AD0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffc40000 0xffc72fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffc40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:58 (UTC) True 1
Fn
Get Time type = Ticks, time = 168886 True 1
Fn
Process #410: net.exe
0 0
»
Information Value
ID #410
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop mfefire /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:15, Reason: Child Process
Unmonitor End Time: 00:02:18, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x870
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xff960000 0xff97bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #411: cmd.exe
59 0
»
Information Value
ID #411
File Name c:\windows\system32\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xhcdxx.exe" /f
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:15, Reason: Child Process
Unmonitor End Time: 00:02:18, Reason: Self Terminated
Monitor Duration 00:00:03
OS Process Information
»
Information Value
PID 0xe7c
Parent PID 0xb0 (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E88
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0015ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
private_0x00000000004c0000 0x004c0000 0x005bffff Private Memory rw True False False -
pagefile_0x00000000005c0000 0x005c0000 0x00747fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000750000 0x00750000 0x008d0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000008e0000 0x008e0000 0x01cdffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001ce0000 0x01ce0000 0x02022fff Pagefile Backed Memory r True False False -
sortdefault.nls 0x02030000 0x022fefff Memory Mapped File r False False False -
cmd.exe 0x4a810000 0x4a868fff Memory Mapped File rwx True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
winbrand.dll 0x7fef8f40000 0x7fef8f47fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop type = file_attributes True 2
Fn
Open STD_OUTPUT_HANDLE - True 5
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\reg.exe os_pid = 0xdac, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4a810000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x77550000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x77566d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x775623d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x77558290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x775617e0 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:58 (UTC) True 1
Fn
Get Time type = Ticks, time = 169479 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #412: dwm.exe
12256 0
»
Information Value
ID #412
File Name c:\windows\system32\dwm.exe
Command Line "C:\Windows\system32\Dwm.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:16, Reason: Injection
Unmonitor End Time: 00:02:42, Reason: Self Terminated
Monitor Duration 00:00:26
OS Process Information
»
Information Value
PID 0x448
Parent PID 0x33c (Unknown)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 6D8
0x 32C
0x 460
0x 454
0x 44C
0x CE0
0x 0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory rw True False False -
private_0x0000000000110000 0x00110000 0x00112fff Private Memory rw True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
pagefile_0x00000000001b0000 0x001b0000 0x00337fff Pagefile Backed Memory r True False False -
private_0x0000000000340000 0x00340000 0x00340fff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x00352fff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
pagefile_0x0000000000480000 0x00480000 0x00600fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000610000 0x00610000 0x01a0ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001a10000 0x01a10000 0x01e02fff Pagefile Backed Memory r True False False -
rsaenh.dll 0x01e10000 0x01e54fff Memory Mapped File r False False False -
private_0x0000000001e70000 0x01e70000 0x01e7ffff Private Memory rw True False False -
private_0x0000000001e80000 0x01e80000 0x01f7ffff Private Memory rw True False False -
pagefile_0x0000000001f80000 0x01f80000 0x0205efff Pagefile Backed Memory r True False False -
private_0x0000000002070000 0x02070000 0x020effff Private Memory rw True False False -
private_0x0000000002170000 0x02170000 0x021effff Private Memory rw True False False -
private_0x00000000021f0000 0x021f0000 0x022effff Private Memory rw True False False -
private_0x0000000002300000 0x02300000 0x0237ffff Private Memory rw True False False -
private_0x00000000023f0000 0x023f0000 0x0246ffff Private Memory rw True False False -
sortdefault.nls 0x02490000 0x0275efff Memory Mapped File r False False False -
private_0x0000000002760000 0x02760000 0x02854fff Private Memory rw True False False -
private_0x0000000002a50000 0x02a50000 0x02acffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
psapi.dll 0x77830000 0x77836fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
dwm.exe 0xff310000 0xff332fff Memory Mapped File rwx False False False -
private_0x000000013f3b0000 0x13f3b0000 0x13f3e5fff Private Memory rwx True False False -
dxgi.dll 0x7fefa700000 0x7fefa7a6fff Memory Mapped File rwx False False False -
d3d10_1core.dll 0x7fefa7b0000 0x7fefa804fff Memory Mapped File rwx False False False -
d3d10_1.dll 0x7fefa810000 0x7fefa843fff Memory Mapped File rwx False False False -
dwmcore.dll 0x7fefa850000 0x7fefa9e1fff Memory Mapped File rwx False False False -
dwmredir.dll 0x7fefa9f0000 0x7fefaa16fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
windowscodecs.dll 0x7fefb970000 0x7fefba99fff Memory Mapped File rwx False False False -
dwmapi.dll 0x7fefbae0000 0x7fefbaf7fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fefbf10000 0x7fefbf65fff Memory Mapped File rwx False False False -
version.dll 0x7fefc780000 0x7fefc78bfff Memory Mapped File rwx False False False -
userenv.dll 0x7fefc960000 0x7fefc97dfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
profapi.dll 0x7fefd5c0000 0x7fefd5cefff Memory Mapped File rwx False False False -
msasn1.dll 0x7fefd660000 0x7fefd66efff Memory Mapped File rwx False False False -
crypt32.dll 0x7fefd750000 0x7fefd8b6fff Memory Mapped File rwx False False False -
wintrust.dll 0x7fefd8c0000 0x7fefd8f9fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
shell32.dll 0x7fefe360000 0x7feff0e7fff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe 0x188 address = 0x13f3b0000, size = 221184 True 1
Fn
Data
Create Remote Thread #1: c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe 0x188 address = 0x13f3b1a30 True 1
Fn
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f 0.05 KB MD5: 93a5aadeec082ffc1bca5aa27af70f52
SHA1: 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256: a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SSDeep: 3:/lE7L6N:+L6N 		False
...
C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE 1.41 KB MD5: 9f6de4ccbe4f4d15e66545fde095b799
SHA1: 3c1829dcfe45c6f46ea70c90cdd8dfb79e1b7ff2
SHA256: bbe66531a9c4dc9576e2645ff26cdf551e67562b942c8761e2d7787ee6de942a
SSDeep: 24:QKvn1H/tMgLvcqAXbrAh+mJckKtAF3SqJfCSRIE0C0wyFwFpjm2pOKp+lZstKCWl:hv1fta0gmJPBIE1vyFwrjmh8Zi 		False
...
C:\users\Public\PUBLIC 0.27 KB MD5: 186e664ce93f20fef1e4b509afaf24af
SHA1: 5c8250300a05253454aba5472e83584c78fe0090
SHA256: 3e4829387c720258cda0cb27703e11efbb595f60da59d007261d99fe683f5702
SSDeep: 6:mtNmVWpJtTTGSVJTVM7ef4ShKksxuU+nhRWRsZ05LQlH0hejj:YmVcJBrJGyQSgksxIHWR0ULIYKj 		False
...
C:\ProgramData\RyukReadMe.txt 0.78 KB MD5: cf525d95dcf6b4a874727fd34f62c7ec
SHA1: cbb47b81c1fad34bcd3604dc978f137006d33440
SHA256: 0b07aceb0d18cd1edf368fc9c60d19b00b2c4d5a077a412cabbad9172f2f64f3
SSDeep: 24:iVezHysv9F2Ob/87gPsoU3gMqvKHHLb1+y3RhXY2bfbX9n:xzSsv9FjxFiH0iDbfbX9 		False
...
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f 0.33 KB MD5: fc5d5238675198673fdbeff0f6190ed8
SHA1: 4fca0f45bca53d4940fc61886bc99f795850e3f4
SHA256: db25c8c7b752f07d09f86cf4c0407714c4c84c024ab948f46914206f82b96d88
SSDeep: 6:7iVRFFT6QeWMEEXD4D4gW1M72LV1KVp+Yg0kU1gWsMStJ3eFi76:GPFFT9FEz4D5yLiVDPkU1gWsMSzM 		False
...
Modified Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Acrobat\10.0\SharedDataEvents 5.28 KB MD5: 057a2630c9c6c8b54ddc8cdf51b6c889
SHA1: 78ee51b2b39bb5b2260bd5f2752e053001e210bc
SHA256: 970ccc49455d8f0a7dbe566ef06fa4d3f9e4b94fbc219dc949a48bba78261fef
SSDeep: 96:q/pHs+/i+K7qZC2eUUjFApfLO04VqpRZ/3zo+t4sso/HyuTjx5:qBs+q4Cb6z2ydo0DX 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\IconCache.db 1.15 MB MD5: 61e275b31afdbf609f2895fcec2348fc
SHA1: 147dd6e8a297d7d39de67b2164a99f9631bb9657
SHA256: ae71bf7435e54069033eb4d2394bc2aa6c2471e084a1837de33b6e8ab9f1c9ba
SSDeep: 24576:rZ50OwgQivJFHl6BIuRa8yEbi/eAwVNV8/RDeaHYB1KIdNiy:vugQGJKBt68VNV8/RZHnINL 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Color\Profiles\wscRGB.icc 64.94 KB MD5: 1b29b937cac9f74eab9b957dd186ca22
SHA1: 4dcbc339777f87f9a6187c7053749375caeb9eb4
SHA256: a345cad2de04f3e36092ec85ff6f280f6b9efc8a0252301a20c599918972d1c8
SSDeep: 1536:Gz7AqpK8ZpmvbmVAlNunHI68kXzUFKa3EIFN9PauOfuxUBpfxVXiIzPYlLcB:w7AqpsCVbx8+QYy9PauYpfXXhgloB 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps\2.0\DQQ19BCJ.JAX\YVORLGOR.PNT\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\clickonce_bootstrap_unsigned.manifest 1.63 KB MD5: 59f5beed342484321ea5dda5a71fad0b
SHA1: 059d29329c45157e88018f800fd12134462a3ba7
SHA256: 1576874f0af1b0f24f5291c970447a1f406c95a3e1f85a18a4a6a80920c06f31
SSDeep: 48:E1tdpuElcocWPsWpC09IIUN45naA4B9P+aP0zH0CI35:IT70IRHUN45naAYYhPy5 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Feeds Cache\index.dat 32.28 KB MD5: 451f6f1f3b13d1bec82b115c4e877624
SHA1: c6c3d82a5745dc2894eb0ee73b93b20b3da0221c
SHA256: 8adf4b20134405c5b42a22c5fa2decdd8970dcdf30109e47014cdfe7e44d3328
SSDeep: 768:+Rm7zaw6TjWl5/7oIEhdq7gGAJmxejUbOwlPFOCia:+Rm7d6/EGI+mxeIbO87ia 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps\2.0\DQQ19BCJ.JAX\YVORLGOR.PNT\manifests\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms 14.46 KB MD5: 909d9a56ecac0e4e3a0683bf65a22fae
SHA1: 225ae12ae7aef25719dd1d8ae0dca2069446e144
SHA256: 32dd729dac0a123a719c425deea9c0a57f6bd8b403c4f441b3961e1a3da28df7
SSDeep: 384:5LMr+vJX+N6IK4LE8ZpUl3o76U2uIg2yKA2BXo6940:54ioNlLvZpP6l 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\GDIPFONTCACHEV1.DAT 106.55 KB MD5: 56328bed130ee6e22948e1470bf2e37e
SHA1: 3a9171e26aaa20078f769ba23292f3fde41386ec
SHA256: 59d0572f326b06a410e4ee948a4940f91654d82498739141bd7e44658cfadd07
SSDeep: 1536:0MV/+DV36sU4X7OO1Ll3rQTVCT4/7TibsCc2uARxXtZs8JxtuAaVQnZo5mWZyMqN:uguOO1LFnTi7Tib22uA7dRJnuoiN3Gh 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms 6.78 KB MD5: 2531730451fd3548f0b732dd061a4c45
SHA1: 98b593ac7ee3881152f37cb3caa592069aa485cf
SHA256: fc2cd425f3eb1d7f76ca486c73f1daf5ae5a5807b959064e077610403020c385
SSDeep: 192:aZoJ/ZhoqAV+Keov3nt7cu/rUpZaYtgR4sl9WMTaiIz07q:D/5Ap3Phcu/GZaYtgR4INTuzp 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat 32.28 KB MD5: f519504b0e49f52912c9caa8ce43e579
SHA1: 327fea8b6fbf19672133bdad7d82f9859fe607d6
SHA256: 1eae2dd353fe5b2ae31819c180f39fd1d1801dcbd41bb8b4231c15f0ae013188
SSDeep: 768:yum0Jt6nGIvHJIXcX1b8+F0xXDfAEfR1nrRWGPYWzQP:73JgnvpIX+L0xX77fR1x7zQP 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Web Slice Gallery~.feed-ms 28.28 KB MD5: a019696cc1405f9486c809a756055fd4
SHA1: 204373d86729fb461b3f01ccd70f7e019eab4d5a
SHA256: 95e7ba0c2a62b269f4b0ed2eb3b593aceb3ce20a08d66070f22a02b96b7b11c1
SSDeep: 768:RxxYYWkg8zAVzP5bJSK+ouO+q4vgvbZG4dU0Li:RxxJWMkZ9+HObVGVyi 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms 28.28 KB MD5: e77a663b0bc5172536e2c817bd649d0a
SHA1: 9918a3a1e8a4b16b6c891f7264ea57b298c68a7e
SHA256: 33589ca1df09d2f3a628ac42a52b9d664b67c27bd6875d73cf4198fb052f21ae
SSDeep: 768:zNr13IEvrhoh+d4lFOKsPNrgEqxos9ITmzU2R/BtX:16qqlgyas9xzxftX 		False
...
C:\ProgramData\Adobe\ARM\Reader_10.0.0\AdbeRdrUpd10110_MUI.msp 10.00 MB MD5: bee2244b1f0f2ec25e0648ce2c1eb980
SHA1: abeef3357a345474bebd943108438e4956a57e3c
SHA256: a8641dbe257b60cc74c6f52c84edbc911ea949aab7377b3cd21b4ff99f453e86
SSDeep: 196608:+prUEIskXlgnV7wmfNvDXadSLsS8nQsiAESOsYnwZrja9segf:+pYEhtw+vsItAqpnevIu 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Acrobat\10.0\Cache\AcroFnt10.lst 52.22 KB MD5: ab52caa4af314d6e3b85ae0d76d7d8d6
SHA1: 46343ce5fe0b22a0a1e6de0c03a58ba9a6da19d3
SHA256: ae209b6edbf78c0fe853705a998f8fb7afa53e7320ec809b29f7ef05a0baaf96
SSDeep: 1536:/lJkT/65TGjkG/yq9/GN+pavpwlNIITfPpBKne:/l36kG/yq9/GZvWl26/Ke 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\frameiconcache.dat 9.27 KB MD5: 2b8d559c6c1f989f356577f91e2b3617
SHA1: 9d2080ce7c52803d892866cbf4a4cc58479508ab
SHA256: 8b62b4e15225be37b303a025ec925b2529f0b5883ca19ac39f6923c73de79f84
SSDeep: 192:6qJ/BJLbgU80TKa/vSwVkPEWc2tDJLB03wt+pqSY03o+/kG6:6sBFbx80TKWgE6DJNTsBRod 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\brndlog.bak 12.19 KB MD5: 72307cbf5fa22d6c6e8091d76181b8b7
SHA1: 6e5bf02c13c01e98ad44f170dd3e318cfa5fe918
SHA256: 3ac6039261990b10c51f5d52963f23328b3328d5f2bd6973000e078576dbfed5
SSDeep: 192:KV0UOS6S47qTNfI7mJUnB076KdX3kSmhsZHLoCIm2ItAW0v+wa3Ufi:Hi6SVTNgmJ0cnTgsZnIby0Vakfi 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Color\Profiles\wsRGB.icc 2.89 KB MD5: 6c1f2ef13a16828dc65d2f079a8255cc
SHA1: 21d85876a4eb0bc3626e549f59cbf188ef68e3e1
SHA256: 2789708469fead08be3f1c78b89e4eeb6fc2a7b7a67fada7f7d42c6acd83a3b6
SSDeep: 48:Y4BZDiIaYwsVC6i0SWvWcM6Uj+m4C93P+Kje7xeX6PF3wDzCnhsus8odJ1fbLbY/:YYwIHhi0TNMZ+sWKjAkX6twDzm2Dz/Y/ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Work~.feed-ms 28.28 KB MD5: 4d96426b472e52017b4225b0bc08cb14
SHA1: d79a8f3e89b363dc7e57a9c86666d8180a657111
SHA256: 9746d4f0d20b39bad9a6a73b9ce029b89eeda3bb13d764da356f124f6d839737
SSDeep: 768:3hOoQqG22UcmCNlANW+Zbk6phoe3kiNOrxXLR:ROoQl22NmCNSQ+1p+9WidR 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps\2.0\DQQ19BCJ.JAX\YVORLGOR.PNT\manifests\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest 11.83 KB MD5: de6e9fdea961e067ba38df98fa075a0e
SHA1: 2fdfd89a3238ed22194f2f1b98a35824209b1306
SHA256: 4e96932c7a0031d1ad86eb8224e8cb59ec0a7af3b1d2eb3b0a8c37768067b70a
SSDeep: 192:7RQekrtW882SxWP0QQUFFRD82qnnV20Hyhp5fN4s3CqfltXvVHgGWQ+Ag2ruYsZ4:NpkrtWDW0BAInVdQp5es3CELRQE9s9hK 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Acrobat\10.0\UserCache.bin 75.94 KB MD5: d5e45fa5b0a6962e07d5c784e196fc98
SHA1: 6b35f95a0d44e84347c83190f902d4ba175de0ee
SHA256: c06f22148dacc137fd1476b6406be0bdeadd2ccfbd8aae5c324e7fb2a2669549
SSDeep: 1536:kRwE9HYv8tllf5bJyJt0D1o3bmLKVfzs83LFeSMl6eBnv9SGb:kiE96Y5bJwEoFp06e59SGb 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms 32.28 KB MD5: 59168e57f56fba53a592717e25b9a502
SHA1: 17ffae800dbc6af28cd059861694f3b05a916337
SHA256: 85ac10192d8269f9ae53eec1c47974f083c178deeb03934cb5100df2f8ea2fe5
SSDeep: 768:VHKM0eZpoLC4sBdMazggM1JXMkO/2Zv5d22QX4mQ4:UCZpP9zr0FaGv5m4mP 		False
...
C:\ProgramData\Microsoft\MF\Pending.GRL 14.89 KB MD5: 2ec65b9302acfe1eab9afe36337d9b12
SHA1: 71da32ee72eaa44c9c4a72b05a2a439dbf981dc6
SHA256: 38c4474b1296caa28ce156629d614a772f73f764108053ce81d95a0a1d39b052
SSDeep: 192:SHz4S/sB+A54JZhWRa5DA2a2y+EmTptYRy7lKKBjq5egqhROABJ/nxnYU+cuDr:SXhH2RMVEeptisleiHLr/naU+cAr 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\brndlog.txt 12.21 KB MD5: 16e18a43ea1887e9706a530eb5ab287a
SHA1: b7c4c5f69c8dc30b3f0449f1aadf846b9fb2ac6f
SHA256: 61a5eae08babbd7bf1a7a74f6135bc2acd9ecda335216f90c10f2b5962f428db
SSDeep: 384:5A9/OSzSdtLT+kfv7NmVJB6ySc7+MjgtBa:5A9Rm1K8vg3B68+MjgtBa 		False
...
C:\ProgramData\Adobe\ARM\Reader_10.0.0\AdbeRdrSecUpd10111.msp 246.28 KB MD5: 7880b39e749d1cb7ed1ab93a096f8657
SHA1: 9062935ad92abe63a1e5b07867285be37c770a02
SHA256: fc21803858556c1ab7a4397ffee49fb7319b10b86e1f982c5517a19b9a6e918e
SSDeep: 6144:ArE6IYqNsnyD+I0jJ758UcY3yvG+nZC9jQssrw/6:MEX2nCG57cYCvdZCuH 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps\2.0\DQQ19BCJ.JAX\YVORLGOR.PNT\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\clickonce_bootstrap_unsigned.cdf-ms 4.00 KB MD5: 3df1c409522484f0444819cf275f4e1e
SHA1: 98397e85da7eeaf11d618e70528a5ad317b82ddd
SHA256: 4d5a8ff9dd7eca98cd6e00de226db67676d87be175a07639bea1c3be0284c557
SSDeep: 96:Oh35mR+04NSvnAV7tisPR0RtDmwJQ/XRuJn4HpoQyaR8qek:OF50+hSgRiTnJiX0J4Hpo7aCq9 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT 240.49 KB MD5: 0a3a2956db370003bef1a253b46e560d
SHA1: 0e023b9f32a2731277f386d66cf8a3eedf327113
SHA256: 1e9205432c385194d89407bd6dbeeeb99e5ac257fd3ca64de4d8408a2919c1a8
SSDeep: 6144:8fG254sJLRflHxdH4ottmgUv0cQH51Hm76tg:ghLRflHTlt8aHZdHg 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Acrobat\10.0\AdobeCMapFnt10.lst 34.56 KB MD5: 56f6181c221967e744418a712971c06e
SHA1: 102ba6a48cd773a38ef537e02823e1a2cfcc925c
SHA256: 1b56a75d6f634bb8916ace5b123511de0d5fdec9c0e94c437158eb8f6289ad51
SSDeep: 768:dJABvhzFIdVlOqZ0tqAnkD4kBPIypFsqCri88QJOgOh:7ABJRId71cqAnaxrJX88QJOR 		False
...
C:\ProgramData\Adobe\ARM\Reader_10.0.0\AdbeRdrUpd10116_MUI.msp 10.00 MB MD5: 98471a4cf3e54df2296b2ab951280c22
SHA1: b6fedeb8e76a4231b9cdeceb6efb791cc6e306a7
SHA256: 531664317f2f71e7d36aec41b4bcd27665f370aa419daf364896d16369cff6a0
SSDeep: 196608:LK+vt6jPAgl8DH2+Qo4iT6YqQitS7+KgxUzGVw9vV+Ud5CP46ZjNK:LcNI6xdBISxUzGVw7+YMggK 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Acrobat\10.0\AdobeSysFnt10.lst 135.49 KB MD5: 00589b95ce7c6813430c31755105c923
SHA1: 517407c2fe6e4e8656aace74573faea54acc0adf
SHA256: 1edbcb1135623ca774eef47e03581feef16c2529b0622bd48578b9d5b7de0417
SSDeep: 3072:ObIYLcHXqh8y5QZUASjjRqctrO8SykXzvh9ieuqXIBU:ObFcHXV4iFUjR5dobLhfIu 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Color\ACECache11.lst 1.42 KB MD5: af659794f2a93c4f9508bb1e94a48d67
SHA1: 749a94e2829629283582e52658b9aa80ee658ef9
SHA256: 16b8a1a4c0c50a360cb4fb3e1bbdc8f2275b678bbd7a1d2f01fe7d1da6569db7
SSDeep: 24:BuRuASNYOvoPIqQIiwcsw0pKjHiu/EYBvjNreXceaauLm/ThBIVwA+E:0RAqZIdDsw0wjHiu/vhe+LSTgaAd 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms 28.28 KB MD5: ffc74800d0fe4fc5ff26018719163093
SHA1: e4f599dcce589d4f771288fd74414d406f464bc5
SHA256: ba5c92040d4a391defe0112899a0b7015dc5a4b5745888bf73114fc3a8e18be9
SSDeep: 768:kwqX8QRykCbI30GnuvZ6Q+75vq1GkH4i+VDrlkI5:kwmvRykCR0Qvk41TH4LhrN5 		False
...
C:\ProgramData\Microsoft\MF\Active.GRL 14.89 KB MD5: 7e52222840b71c6a8892525f525791a3
SHA1: c2086c737b849bf171e3857ac3361ae5291a56e9
SHA256: 4fb1f6d9cf9abfe305580289825c850366d0a8bbf9f3cc686615f29b72f565e7
SSDeep: 384:vs9Jy/T2PznHM1Wepb1zLeB+nqC3kpgz+tXbo:vwJyT2PznsYe51zdqBW+tXs 		False
...
Host Behavior
File (2986)
»
Operation Filename Additional Information Success Count Logfile
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN False 1
Fn
Create C:\users\Public\sys desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN True 1
Fn
Create C:\users\Public\PUBLIC desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\users\Public\PUBLIC desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 6
Fn
Create C:\Boot\BCD desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\BCD.LOG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\BCD.LOG1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\BCD.LOG2 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\BOOTSTAT.DAT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 25
Fn
Create C:\Boot\cs-CZ\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\da-DK\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\de-DE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\el-GR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\es-ES\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\fi-FI\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\chs_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\cht_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\jpn_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\kor_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\wgl4_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\fr-FR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\hu-HU\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\it-IT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\ja-JP\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\ko-KR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\nb-NO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\nl-NL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\pl-PL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\pt-BR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\pt-PT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\ru-RU\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\sv-SE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\tr-TR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\zh-CN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\zh-HK\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\zh-TW\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\bootmgr desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\BOOTSECT.BAK desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Config.Msi\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\hiberfil.sys desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\MSOCache\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\pagefile.sys desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\PerfLogs\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 6
Fn
Create C:\Program Files\Common Files\DESIGNER\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 27
Fn
Create C:\Program Files\Common Files\Microsoft Shared\DW\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\EQUATION\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\EQUATION\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.CNT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.HLP desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\EQUATION\MTEXTRA.TTF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\EURO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Filters\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\CGMIMP32.CFG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\CGMIMP32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\CGMIMP32.FNT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\GIFIMP32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.CGM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.EPS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.JPG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.WPG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PICTIM32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\WPGIMP32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Help\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 38
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 10
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\MSClientDataMgr\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\MSInfo\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 4
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ADO210.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\README.HTM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MUAUTH.CAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 22
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\ExcelMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\GrooveMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\InfoPathMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OCT.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSCONFIG.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10O.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10R.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\Office32MUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.WW\Office32WW.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.WW\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\OneNoteMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\OutlookMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\pkeyconfig-office.xrm-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\PowerPointMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PRJPROR\PrjProrWW.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PRJPROR\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PRJPROR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Project.en-us\ProjectMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Project.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Project.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.en\Proof.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.en\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.es\Proof.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.es\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.fr\Proof.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.fr\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proofing.en-us\Proofing.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proofing.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proofing.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PROPLUSR\ProPlusrWW.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PROPLUSR\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PROPLUSR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Publisher.en-us\PublisherMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Publisher.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Publisher.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Visio.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Visio.en-us\VisioMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Visio.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\VISIOR\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\VISIOR\VisiorWW.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\VISIOR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Word.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Word.en-us\WordMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Word.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\PROOF\MSWDS_EN.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\PROOF\MSWDS_ES.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\PROOF\MSWDS_FR.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\PROOF\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 3
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\DATES.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\PHONE.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\STOCKS.DAT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\STOCKS.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\TIME.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\BASMLA.XSL desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\METCONV.TXT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\MSTAG.TLB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Source Engine\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TextConv\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TextConv\RECOVR32.CNV desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TextConv\Wks9Pxy.cnv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TextConv\WPFT532.CNV desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TextConv\WPFT632.CNV desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 46
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\AFTRNOON.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\AFTRNOON.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\ARCTIC.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\ARCTIC.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\AXIS.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\AXIS.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS\BLENDS.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS\BLENDS.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM\BLUECALM.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM\BLUECALM.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\BLUEPRNT.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\BLUEPRNT.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\BOLDSTRI.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\BOLDSTRI.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE\BREEZE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE\BREEZE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\CANYON.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\CANYON.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\CAPSULES.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\CAPSULES.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE\CASCADE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE\CASCADE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS\COMPASS.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS\COMPASS.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\CONCRETE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\CONCRETE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\DEEPBLUE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\DEEPBLUE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\ECHO.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\ECHO.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\ECLIPSE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\ECLIPSE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\EDGE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\EDGE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN\EVRGREEN.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN\EVRGREEN.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\EXPEDITN.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\EXPEDITN.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\ICE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\ICE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\INDUST.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\INDUST.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\IRIS.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\IRIS.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\JOURNAL.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\JOURNAL.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\LAYERS.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\LAYERS.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\LEVEL.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\LEVEL.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\NETWORK.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\NETWORK.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\PAPYRUS.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\PAPYRUS.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\PIXEL.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\PIXEL.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\PROFILE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\PROFILE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\QUAD.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\QUAD.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\RADIAL.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\RADIAL.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\REFINED.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\REFINED.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\RICEPAPR.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\RICEPAPR.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\RIPPLE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\RIPPLE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\RMNSQUE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\RMNSQUE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN\SATIN.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN\SATIN.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\SKY.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\SKY.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\SLATE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\SLATE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\SONORA.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\SONORA.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\SPRING.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\SPRING.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\STRTEDGE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\STRTEDGE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\STUDIO.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\STUDIO.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG\SUMIPNTG.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG\SUMIPNTG.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\THEMES.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\WATER.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\WATER.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\WATERMAR.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\WATERMAR.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 7
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ARFR\MSB1ARFR.ITS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ARFR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENES\MSB1ENES.ITS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENES\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENFR\MSB1ENFR.ITS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENFR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.ITS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\WT61ES.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FRAR\MSB1FRAR.ITS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FRAR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.ITS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN\WT61FR.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\MSB1AR.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\MSB1CACH.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Triedit\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\FM20.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBCN6.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBENDF98.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBHW6.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBLR6.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBOB6.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBUI6.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VC\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VGX\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\BIGFONT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\CHINESET.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\EXTFONT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\GBCBIG.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\IC-TXT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\ICAD.FMP desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\WHGDTXT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\WHGTXT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\WHTGTXT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\WHTMTXT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VSTO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Folders\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\1033\FPEXT.MSG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Services\verisign.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Services\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\SpeechEngines\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\SpeechEngines\Microsoft\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 6
Fn
Create C:\Program Files\Common Files\System\ado\adojavas.inc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\adovbs.inc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\System\ado\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msado20.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msado21.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msado25.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msado26.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msado27.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msado28.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msadomd28.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msadox28.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\msadc\adcjavas.inc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\msadc\adcvbs.inc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\msadc\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\System\msadc\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\msadc\handler.reg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\msadc\handsafe.reg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\MSMAPI\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\System\MSMAPI\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\sqloledb.rll desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\audiodepthconverter.ax desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\bod_r.TTF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\directshowtap.ax desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\DVD Maker\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Eurosti.TTF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\fieldswitch.ax desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\offset.ax desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\rtstreamsink.ax desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\rtstreamsource.ax desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\SecretST.TTF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\Common.fxh desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DissolveAnother.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DissolveNoise.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 16
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_matte2.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\curtains.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_rgb.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\circle_glass_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\DvdTransform.fx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\15x15dot.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\full.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_mainImage-mask.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIconSubpict.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Subpicture1.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-over-select.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\rollinghills.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_videoinset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\pushplaysubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_item.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\15x15dot.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_babypink_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_postage_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_specialocc_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_travel_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_widescreen_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\scenesscroll.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialoccasion.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
For performance reasons, the remaining 282 entries are omitted.
The remaining entries can be found in glog.xml.
Module (78)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77550000 True 1
Fn
Load mpr.dll base_address = 0x7fefaaa0000 True 1
Fn
Load advapi32.dll base_address = 0x7feff740000 True 1
Fn
Load ole32.dll base_address = 0x7fefddf0000 True 1
Fn
Load Shell32.dll base_address = 0x7fefe360000 True 1
Fn
Load Iphlpapi.dll base_address = 0x7fefaf60000 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x77567070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x77572dd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualFree, address_out = 0x77561260 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptExportKey, address_out = 0x7feff748140 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileW, address_out = 0x7755ad90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDriveTypeW, address_out = 0x7756bdf0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineW, address_out = 0x7756c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoW, address_out = 0x77568070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileW, address_out = 0x77561910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualAlloc, address_out = 0x775667a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7feff74dc20 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x776940f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64RevertWow64FsRedirection, address_out = 0x7759bb30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessA, address_out = 0x775e8840 True 1
Fn
Get Address c:\windows\system32\iphlpapi.dll function = GetIpNetTable, address_out = 0x7fefaf6e558 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExW, address_out = 0x7755d910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64DisableWow64FsRedirection, address_out = 0x7759bb40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemDefaultLangID, address_out = 0x775594e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameW, address_out = 0x7feff751fd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadFile, address_out = 0x77561500 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7feff75c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x77572f80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegSetValueExW, address_out = 0x7feff751ed0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7feff760710 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileA, address_out = 0x775e5620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesW, address_out = 0x775637a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WinExec, address_out = 0x775e8d80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDeriveKey, address_out = 0x7feff77b6b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptGenKey, address_out = 0x7feff7419bc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Sleep, address_out = 0x77572b70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x77565cf0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteW, address_out = 0x7fefe37983c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSize, address_out = 0x7755f9d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalAlloc, address_out = 0x775580c0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x7756bd60 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForMultipleObjects, address_out = 0x77561170 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x775664a0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteA, address_out = 0x7fefe5bec80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x775665e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameW, address_out = 0x77567700 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x775731f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSizeEx, address_out = 0x77559b30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x775735a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalDrives, address_out = 0x7755b930 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetEnumResourceW, address_out = 0x7fefaaa41a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExW, address_out = 0x7feff7606f0 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetCloseEnum, address_out = 0x7fefaaa42dc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x775582b0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesA, address_out = 0x77552d50 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7feff75b5f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointer, address_out = 0x77561150 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount, address_out = 0x77572b00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesW, address_out = 0x7756bdd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileW, address_out = 0x7756bd80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextW, address_out = 0x7feff74d98c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MoveFileExW, address_out = 0x77553060 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetOpenEnumW, address_out = 0x7fefaaa3e00 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoInitialize, address_out = 0x7fefde0a51c True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDecrypt, address_out = 0x7feff77b6d0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptImportKey, address_out = 0x7feff74af6c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointerEx, address_out = 0x7755af00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileW, address_out = 0x775592d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x77566620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessW, address_out = 0x77571bb0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateDirectoryW, address_out = 0x7755ad70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThread, address_out = 0x77566580 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyKey, address_out = 0x7feff74afa0 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefde17490 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileW, address_out = 0x77561870 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesA, address_out = 0x775613e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptEncrypt, address_out = 0x7feff77b650 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegDeleteValueW, address_out = 0x7feff74bbb0 True 1
Fn
System (7)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 1
Fn
Sleep duration = 1000 milliseconds (1.000 seconds) True 1
Fn
Get Info type = Operating System True 2
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 3
Fn
Process #413: net1.exe
17 0
»
Information Value
ID #413
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop KAVFS /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:16, Reason: Child Process
Unmonitor End Time: 00:02:18, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x8f0
Parent PID 0x2e0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A1C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x002cffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff30000 0xfff62fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff30000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:59 (UTC) True 1
Fn
Get Time type = Ticks, time = 169760 True 1
Fn
Process #414: net1.exe
17 0
»
Information Value
ID #414
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop KAVFSGT /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:16, Reason: Child Process
Unmonitor End Time: 00:02:18, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xe04
Parent PID 0x8c4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
private_0x0000000000690000 0x00690000 0x0069ffff Private Memory rw True False False -
netmsg.dll 0x75290000 0x75291fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff30000 0xfff62fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75290000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff30000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:59 (UTC) True 1
Fn
Get Time type = Ticks, time = 169807 True 1
Fn
Process #415: net1.exe
17 0
»
Information Value
ID #415
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop mfefire /y
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:16, Reason: Child Process
Unmonitor End Time: 00:02:18, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xd2c
Parent PID 0x870 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x75280000 0x75281fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff30000 0xfff62fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef4810000 0x7fef4821fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7330000 0x7fef7356fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb7c0000 0x7fefb7d3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb7e0000 0x7fefb7f4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb800000 0x7fefb80bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb810000 0x7fefb825fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefc0a0000 0x7fefc0bcfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefcca0000 0x7fefcccffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd3b0000 0x7fefd3d2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x75280000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff30000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:59 (UTC) True 1
Fn
Get Time type = Ticks, time = 169853 True 1
Fn
Process #416: taskhost.exe
86 0
»
Information Value
ID #416
File Name c:\windows\system32\taskhost.exe
Command Line "taskhost.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:16, Reason: Injection
Unmonitor End Time: 00:02:41, Reason: Self Terminated
Monitor Duration 00:00:25
OS Process Information
»
Information Value
PID 0x4a4
Parent PID 0x1d4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 1268
0x 124C
0x 1248
0x 1244
0x 1240
0x 123C
0x 1238
0x 1234
0x 1230
0x 122C
0x 1228
0x 1224
0x 1220
0x 10EC
0x 10E8
0x 274
0x 7EC
0x 4F8
0x 53C
0x 7D4
0x 7BC
0x 76C
0x 768
0x 760
0x 4CC
0x 4C0
0x 4A8
0x DFC
0x D28
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
locale.nls 0x00040000 0x000a6fff Memory Mapped File r False False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b1fff Pagefile Backed Memory rw True False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000100000 0x00100000 0x00101fff Pagefile Backed Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
msutb.dll.mui 0x00190000 0x00191fff Memory Mapped File rw False False False -
private_0x00000000001a0000 0x001a0000 0x001dffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x001e0fff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
pagefile_0x0000000000490000 0x00490000 0x00617fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000620000 0x00620000 0x007a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007b0000 0x007b0000 0x01baffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001bb0000 0x01bb0000 0x01fa2fff Pagefile Backed Memory r True False False -
private_0x0000000002040000 0x02040000 0x020bffff Private Memory rw True False False -
private_0x0000000002130000 0x02130000 0x021affff Private Memory rw True False False -
pagefile_0x00000000021b0000 0x021b0000 0x0228efff Pagefile Backed Memory r True False False -
private_0x00000000022e0000 0x022e0000 0x0235ffff Private Memory rw True False False -
private_0x0000000002360000 0x02360000 0x023dffff Private Memory rw True False False -
private_0x0000000002440000 0x02440000 0x024bffff Private Memory rw True False False -
kernelbase.dll.mui 0x024c0000 0x0257ffff Memory Mapped File rw False False False -
private_0x0000000002590000 0x02590000 0x0260ffff Private Memory rw True False False -
private_0x0000000002640000 0x02640000 0x0264ffff Private Memory rw True False False -
private_0x0000000002660000 0x02660000 0x026dffff Private Memory rw True False False -
private_0x00000000026f0000 0x026f0000 0x0276ffff Private Memory rw True False False -
private_0x0000000002770000 0x02770000 0x027effff Private Memory rw True False False -
private_0x0000000002800000 0x02800000 0x0287ffff Private Memory rw True False False -
private_0x0000000002890000 0x02890000 0x0290ffff Private Memory rw True False False -
private_0x0000000002930000 0x02930000 0x029affff Private Memory rw True False False -
private_0x00000000029c0000 0x029c0000 0x02a3ffff Private Memory rw True False False -
sortdefault.nls 0x02a40000 0x02d0efff Memory Mapped File r False False False -
private_0x0000000002d80000 0x02d80000 0x02dfffff Private Memory rw True False False -
private_0x0000000002e60000 0x02e60000 0x02edffff Private Memory rw True False False -
private_0x0000000002f30000 0x02f30000 0x02faffff Private Memory rw True False False -
private_0x0000000002fb0000 0x02fb0000 0x0302ffff Private Memory rw True False False -
private_0x00000000030a0000 0x030a0000 0x0311ffff Private Memory rw True False False -
private_0x00000000031b0000 0x031b0000 0x0322ffff Private Memory rw True False False -
private_0x0000000003230000 0x03230000 0x032affff Private Memory rw True False False -
private_0x00000000032e0000 0x032e0000 0x0335ffff Private Memory rw True False False -
private_0x00000000033a0000 0x033a0000 0x0341ffff Private Memory rw True False False -
private_0x0000000003480000 0x03480000 0x034fffff Private Memory rw True False False -
private_0x0000000003570000 0x03570000 0x035effff Private Memory rw True False False -
private_0x0000000003610000 0x03610000 0x0368ffff Private Memory rw True False False -
private_0x0000000003690000 0x03690000 0x0370ffff Private Memory rw True False False -
private_0x0000000003710000 0x03710000 0x0378ffff Private Memory rw True False False -
private_0x00000000037a0000 0x037a0000 0x0381ffff Private Memory rw True False False -
private_0x00000000038d0000 0x038d0000 0x0394ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskhost.exe 0xff7e0000 0xff7f3fff Memory Mapped File rwx False False False -
private_0x000000013f3b0000 0x13f3b0000 0x13f3e5fff Private Memory rwx True False False -
winmm.dll 0x7fef8080000 0x7fef80bafff Memory Mapped File rwx False False False -
msutb.dll 0x7fef8bb0000 0x7fef8becfff Memory Mapped File rwx False False False -
msctfmonitor.dll 0x7fef8bf0000 0x7fef8bfafff Memory Mapped File rwx False False False -
hotstartuseragent.dll 0x7fef8f70000 0x7fef8f7afff Memory Mapped File rwx False False False -
playsndsrv.dll 0x7fef9030000 0x7fef9047fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
slc.dll 0x7fefb040000 0x7fefb04afff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb050000 0x7fefb05bfff Memory Mapped File rwx False False False -
nlaapi.dll 0x7fefb0d0000 0x7fefb0e4fff Memory Mapped File rwx False False False -
taskschd.dll 0x7fefb200000 0x7fefb326fff Memory Mapped File rwx False False False -
dimsjob.dll 0x7fefb6b0000 0x7fefb6bdfff Memory Mapped File rwx False False False -
npmproxy.dll 0x7fefb700000 0x7fefb70bfff Memory Mapped File rwx False False False -
netprofm.dll 0x7fefb8c0000 0x7fefb933fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefb940000 0x7fefb950fff Memory Mapped File rwx False False False -
dwmapi.dll 0x7fefbae0000 0x7fefbaf7fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fefbf10000 0x7fefbf65fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd560000 0x7fefd59cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
shell32.dll 0x7fefe360000 0x7feff0e7fff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
private_0x000007fffff84000 0x7fffff84000 0x7fffff85fff Private Memory rw True False False -
private_0x000007fffff86000 0x7fffff86000 0x7fffff87fff Private Memory rw True False False -
private_0x000007fffff88000 0x7fffff88000 0x7fffff89fff Private Memory rw True False False -
private_0x000007fffff8a000 0x7fffff8a000 0x7fffff8bfff Private Memory rw True False False -
private_0x000007fffff8c000 0x7fffff8c000 0x7fffff8dfff Private Memory rw True False False -
private_0x000007fffff8e000 0x7fffff8e000 0x7fffff8ffff Private Memory rw True False False -
private_0x000007fffff90000 0x7fffff90000 0x7fffff91fff Private Memory rw True False False -
private_0x000007fffff92000 0x7fffff92000 0x7fffff93fff Private Memory rw True False False -
private_0x000007fffff94000 0x7fffff94000 0x7fffff95fff Private Memory rw True False False -
private_0x000007fffff96000 0x7fffff96000 0x7fffff97fff Private Memory rw True False False -
private_0x000007fffff98000 0x7fffff98000 0x7fffff99fff Private Memory rw True False False -
private_0x000007fffff9a000 0x7fffff9a000 0x7fffff9bfff Private Memory rw True False False -
private_0x000007fffff9c000 0x7fffff9c000 0x7fffff9dfff Private Memory rw True False False -
private_0x000007fffff9e000 0x7fffff9e000 0x7fffff9ffff Private Memory rw True False False -
private_0x000007fffffa0000 0x7fffffa0000 0x7fffffa1fff Private Memory rw True False False -
private_0x000007fffffa2000 0x7fffffa2000 0x7fffffa3fff Private Memory rw True False False -
private_0x000007fffffa4000 0x7fffffa4000 0x7fffffa5fff Private Memory rw True False False -
private_0x000007fffffa6000 0x7fffffa6000 0x7fffffa7fff Private Memory rw True False False -
private_0x000007fffffa8000 0x7fffffa8000 0x7fffffa9fff Private Memory rw True False False -
private_0x000007fffffaa000 0x7fffffaa000 0x7fffffabfff Private Memory rw True False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory rw True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe 0x188 address = 0x13f3b0000, size = 221184 True 1
Fn
Data
Create Remote Thread #1: c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe 0x188 address = 0x13f3b1a30 True 1
Fn
Host Behavior
File (2)
»
Operation Filename Additional Information Success Count Logfile
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN False 2
Fn
Module (78)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77550000 True 1
Fn
Load mpr.dll base_address = 0x7fefaaa0000 True 1
Fn
Load advapi32.dll base_address = 0x7feff740000 True 1
Fn
Load ole32.dll base_address = 0x7fefddf0000 True 1
Fn
Load Shell32.dll base_address = 0x7fefe360000 True 1
Fn
Load Iphlpapi.dll base_address = 0x7fefaf60000 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x77567070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x77572dd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualFree, address_out = 0x77561260 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptExportKey, address_out = 0x7feff748140 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileW, address_out = 0x7755ad90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDriveTypeW, address_out = 0x7756bdf0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineW, address_out = 0x7756c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoW, address_out = 0x77568070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileW, address_out = 0x77561910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualAlloc, address_out = 0x775667a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7feff74dc20 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x776940f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64RevertWow64FsRedirection, address_out = 0x7759bb30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessA, address_out = 0x775e8840 True 1
Fn
Get Address c:\windows\system32\iphlpapi.dll function = GetIpNetTable, address_out = 0x7fefaf6e558 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExW, address_out = 0x7755d910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64DisableWow64FsRedirection, address_out = 0x7759bb40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemDefaultLangID, address_out = 0x775594e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameW, address_out = 0x7feff751fd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadFile, address_out = 0x77561500 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7feff75c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x77572f80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegSetValueExW, address_out = 0x7feff751ed0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7feff760710 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileA, address_out = 0x775e5620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesW, address_out = 0x775637a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WinExec, address_out = 0x775e8d80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDeriveKey, address_out = 0x7feff77b6b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptGenKey, address_out = 0x7feff7419bc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Sleep, address_out = 0x77572b70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x77565cf0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteW, address_out = 0x7fefe37983c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSize, address_out = 0x7755f9d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalAlloc, address_out = 0x775580c0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x7756bd60 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForMultipleObjects, address_out = 0x77561170 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x775664a0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteA, address_out = 0x7fefe5bec80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x775665e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameW, address_out = 0x77567700 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x775731f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSizeEx, address_out = 0x77559b30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x775735a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalDrives, address_out = 0x7755b930 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetEnumResourceW, address_out = 0x7fefaaa41a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExW, address_out = 0x7feff7606f0 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetCloseEnum, address_out = 0x7fefaaa42dc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x775582b0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesA, address_out = 0x77552d50 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7feff75b5f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointer, address_out = 0x77561150 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount, address_out = 0x77572b00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesW, address_out = 0x7756bdd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileW, address_out = 0x7756bd80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextW, address_out = 0x7feff74d98c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MoveFileExW, address_out = 0x77553060 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetOpenEnumW, address_out = 0x7fefaaa3e00 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoInitialize, address_out = 0x7fefde0a51c True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDecrypt, address_out = 0x7feff77b6d0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptImportKey, address_out = 0x7feff74af6c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointerEx, address_out = 0x7755af00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileW, address_out = 0x775592d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x77566620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessW, address_out = 0x77571bb0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateDirectoryW, address_out = 0x7755ad70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThread, address_out = 0x77566580 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyKey, address_out = 0x7feff74afa0 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefde17490 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileW, address_out = 0x77561870 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesA, address_out = 0x775613e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptEncrypt, address_out = 0x7feff77b650 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegDeleteValueW, address_out = 0x7feff74bbb0 True 1
Fn
System (6)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 1
Fn
Sleep duration = 9000 milliseconds (9.000 seconds) True 2
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 2
Fn
Process #417: reg.exe
13 0
»
Information Value
ID #417
File Name c:\windows\system32\reg.exe
Command Line REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xhcdxx.exe" /f
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:02:16, Reason: Child Process
Unmonitor End Time: 00:02:18, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xdac
Parent PID 0xe7c (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D78
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
reg.exe.mui 0x000e0000 0x000e8fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0043ffff Private Memory rw True False False -
pagefile_0x0000000000440000 0x00440000 0x005c7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005d0000 0x005d0000 0x00750fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000760000 0x00760000 0x01b5ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01b60000 0x01e2efff Memory Mapped File r False False False -
kernelbase.dll.mui 0x01e30000 0x01eeffff Memory Mapped File rw False False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
reg.exe 0xff0a0000 0xff0f5fff Memory Mapped File rwx True False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feff490000 0x7feff4dcfff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (5)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Write STD_OUTPUT_HANDLE size = 39 True 1
Fn
Data
Registry (4)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System - False 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = svchos False 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = svchos, data = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xhcdxx.exe, size = 98, type = REG_SZ True 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\reg.exe base_address = 0xff0a0000 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 19:40:59 (UTC) True 1
Fn
Get Time type = Ticks, time = 170103 True 1
Fn
Process #418: taskeng.exe
86 0
»
Information Value
ID #418
File Name c:\windows\system32\taskeng.exe
Command Line taskeng.exe {CD671DAD-4B74-4170-B439-24634829D136} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1]
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:17, Reason: Injection
Unmonitor End Time: 00:02:39, Reason: Self Terminated
Monitor Duration 00:00:22
OS Process Information
»
Information Value
PID 0x59c
Parent PID 0x374 (Unknown)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 314
0x 440
0x 5F4
0x 5B4
0x 5A8
0x 5A0
0x E74
0x 80C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f0fff Pagefile Backed Memory r True False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
pagefile_0x00000000003b0000 0x003b0000 0x00537fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000540000 0x00540000 0x006c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006d0000 0x006d0000 0x01acffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001ad0000 0x01ad0000 0x01ec2fff Pagefile Backed Memory r True False False -
private_0x0000000001ed0000 0x01ed0000 0x01fcffff Private Memory rw True False False -
private_0x0000000001fd0000 0x01fd0000 0x0204ffff Private Memory rw True False False -
private_0x0000000002060000 0x02060000 0x020dffff Private Memory rw True False False -
private_0x0000000002210000 0x02210000 0x0228ffff Private Memory rw True False False -
sortdefault.nls 0x02290000 0x0255efff Memory Mapped File r False False False -
private_0x00000000025e0000 0x025e0000 0x0265ffff Private Memory rw True False False -
private_0x0000000002720000 0x02720000 0x0279ffff Private Memory rw True False False -
private_0x0000000002840000 0x02840000 0x028bffff Private Memory rw True False False -
pagefile_0x00000000028c0000 0x028c0000 0x0299efff Pagefile Backed Memory r True False False -
private_0x0000000002a90000 0x02a90000 0x02b0ffff Private Memory rw True False False -
user32.dll 0x77450000 0x77549fff Memory Mapped File rwx False False False -
kernel32.dll 0x77550000 0x7766efff Memory Mapped File rwx False False False -
ntdll.dll 0x77670000 0x77818fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskeng.exe 0xffcf0000 0xffd63fff Memory Mapped File rwx False False False -
private_0x000000013f3b0000 0x13f3b0000 0x13f3e5fff Private Memory rwx True False False -
tschannel.dll 0x7fef7bb0000 0x7fef7bb8fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File rwx False False False -
ktmw32.dll 0x7fefab80000 0x7fefab89fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefaf50000 0x7fefaf5afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefaf60000 0x7fefaf86fff Memory Mapped File rwx False False False -
xmllite.dll 0x7fefbaa0000 0x7fefbad4fff Memory Mapped File rwx False False False -
dwmapi.dll 0x7fefbae0000 0x7fefbaf7fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fefbf10000 0x7fefbf65fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcbb0000 0x7fefcbf6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefceb0000 0x7fefcec6fff Memory Mapped File rwx False False False -
wevtapi.dll 0x7fefd0e0000 0x7fefd14cfff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd480000 0x7fefd4a4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd4b0000 0x7fefd4befff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd5a0000 0x7fefd5b3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd920000 0x7fefd98afff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefdb10000 0x7fefdbaefff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdbb0000 0x7fefdc86fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefdc90000 0x7fefdcf6fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdd00000 0x7fefddc8fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefddf0000 0x7fefdff2fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe000000 0x7fefe098fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefe0a0000 0x7fefe1a8fff Memory Mapped File rwx False False False -
sechost.dll 0x7fefe330000 0x7fefe34efff Memory Mapped File rwx False False False -
lpk.dll 0x7fefe350000 0x7fefe35dfff Memory Mapped File rwx False False False -
shell32.dll 0x7fefe360000 0x7feff0e7fff Memory Mapped File rwx False False False -
nsi.dll 0x7feff2d0000 0x7feff2d7fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff2e0000 0x7feff350fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff740000 0x7feff81afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff820000 0x7feff94cfff Memory Mapped File rwx False False False -
imm32.dll 0x7feff950000 0x7feff97dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feff990000 0x7feff990fff Memory Mapped File rwx False False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe 0x188 address = 0x13f3b0000, size = 221184 True 1
Fn
Data
Create Remote Thread #1: c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe 0x188 address = 0x13f3b1a30 True 1
Fn
Host Behavior
File (2)
»
Operation Filename Additional Information Success Count Logfile
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN False 2
Fn
Module (78)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77550000 True 1
Fn
Load mpr.dll base_address = 0x7fefaaa0000 True 1
Fn
Load advapi32.dll base_address = 0x7feff740000 True 1
Fn
Load ole32.dll base_address = 0x7fefddf0000 True 1
Fn
Load Shell32.dll base_address = 0x7fefe360000 True 1
Fn
Load Iphlpapi.dll base_address = 0x7fefaf60000 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x77567070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x77572dd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualFree, address_out = 0x77561260 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptExportKey, address_out = 0x7feff748140 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileW, address_out = 0x7755ad90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDriveTypeW, address_out = 0x7756bdf0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineW, address_out = 0x7756c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoW, address_out = 0x77568070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileW, address_out = 0x77561910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualAlloc, address_out = 0x775667a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7feff74dc20 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x776940f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64RevertWow64FsRedirection, address_out = 0x7759bb30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessA, address_out = 0x775e8840 True 1
Fn
Get Address c:\windows\system32\iphlpapi.dll function = GetIpNetTable, address_out = 0x7fefaf6e558 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExW, address_out = 0x7755d910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64DisableWow64FsRedirection, address_out = 0x7759bb40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemDefaultLangID, address_out = 0x775594e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameW, address_out = 0x7feff751fd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadFile, address_out = 0x77561500 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7feff75c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x77572f80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegSetValueExW, address_out = 0x7feff751ed0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7feff760710 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileA, address_out = 0x775e5620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesW, address_out = 0x775637a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WinExec, address_out = 0x775e8d80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDeriveKey, address_out = 0x7feff77b6b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptGenKey, address_out = 0x7feff7419bc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Sleep, address_out = 0x77572b70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x77565cf0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteW, address_out = 0x7fefe37983c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSize, address_out = 0x7755f9d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalAlloc, address_out = 0x775580c0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x7756bd60 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForMultipleObjects, address_out = 0x77561170 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x775664a0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteA, address_out = 0x7fefe5bec80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x775665e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameW, address_out = 0x77567700 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x775731f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSizeEx, address_out = 0x77559b30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x775735a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalDrives, address_out = 0x7755b930 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetEnumResourceW, address_out = 0x7fefaaa41a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExW, address_out = 0x7feff7606f0 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetCloseEnum, address_out = 0x7fefaaa42dc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x775582b0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesA, address_out = 0x77552d50 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7feff75b5f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointer, address_out = 0x77561150 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount, address_out = 0x77572b00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesW, address_out = 0x7756bdd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileW, address_out = 0x7756bd80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextW, address_out = 0x7feff74d98c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MoveFileExW, address_out = 0x77553060 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetOpenEnumW, address_out = 0x7fefaaa3e00 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoInitialize, address_out = 0x7fefde0a51c True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDecrypt, address_out = 0x7feff77b6d0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptImportKey, address_out = 0x7feff74af6c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointerEx, address_out = 0x7755af00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileW, address_out = 0x775592d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x77566620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessW, address_out = 0x77571bb0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateDirectoryW, address_out = 0x7755ad70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThread, address_out = 0x77566580 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyKey, address_out = 0x7feff74afa0 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefde17490 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileW, address_out = 0x77561870 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesA, address_out = 0x775613e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptEncrypt, address_out = 0x7feff77b650 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegDeleteValueW, address_out = 0x7feff74bbb0 True 1
Fn
System (6)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 1
Fn
Sleep duration = 9000 milliseconds (9.000 seconds) True 2
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 2
Fn
Process #420: xhcdxx.exe
390 0
»
Information Value
ID #420
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xhcdxx.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:14, Reason: Autostart
Unmonitor End Time: 00:04:33, Reason: Self Terminated
Monitor Duration 00:01:19
OS Process Information
»
Information Value
PID 0x75c
Parent PID 0x6f8 (c:\windows\system32\mobsync.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 760
0x 4E0
0x 5A8
0x 5B4
0x 5D8
0x 640
0x 6D4
0x 138
0x 454
0x 73C
0x 32C
0x 448
0x 6D0
0x 808
0x 83C
0x 874
0x 89C
0x 8C4
0x 8E8
0x 908
0x 948
0x 974
0x 994
0x 9F0
0x A58
0x A78
0x A9C
0x B08
0x B58
0x B74
0x B90
0x BC4
0x BE0
0x 51C
0x 89C
0x 974
0x BD4
0x AA8
0x C28
0x C50
0x C70
0x C88
0x CAC
0x CC0
0x D04
0x D20
0x D74
0x D98
0x DE4
0x E18
0x E38
0x E84
0x EC4
0x ED4
0x EEC
0x F10
0x F50
0x F5C
0x F84
0x FBC
0x CB4
0x E8C
0x F04
0x F20
0x F50
0x 60C
0x 8BC
0x F1C
0x FC0
0x C5C
0x C88
0x 820
0x 8E4
0x A1C
0x 8B0
0x 92C
0x 4FC
0x F98
0x 99C
0x 21C
0x 94C
0x E18
0x F64
0x 754
0x 8B4
0x F7C
0x CB4
0x F90
0x CAC
0x B58
0x E5C
0x D5C
0x 73C
0x EE8
0x C64
0x FB8
0x F74
0x DF0
0x 928
0x 89C
0x 8D4
0x CBC
0x BC0
0x A58
0x A0C
0x AFC
0x 7D0
0x DEC
0x BA0
0x BCC
0x CE0
0x D68
0x DE0
0x B88
0x D6C
0x 958
0x D24
0x CFC
0x 8DC
0x FA8
0x 9EC
0x 7A4
0x 878
0x 13C
0x 830
0x 90C
0x 9B0
0x 88C
0x 8A8
0x 898
0x 9C4
0x 454
0x F64
0x 768
0x F54
0x B38
0x 934
0x F20
0x C94
0x 9A4
0x EFC
0x 850
0x 834
0x B58
0x B7C
0x D20
0x D74
0x F60
0x B20
0x FB8
0x D58
0x D48
0x F74
0x E50
0x F18
0x 8A4
0x A34
0x EB0
0x B6C
0x CE4
0x F3C
0x A6C
0x DEC
0x D00
0x A7C
0x C9C
0x 990
0x B0C
0x D78
0x DDC
0x 808
0x CD0
0x C80
0x AD0
0x 920
0x 608
0x FA8
0x 8E4
0x FC4
0x C88
0x 7E0
0x 78C
0x 87C
0x 8A8
0x F4C
0x 6E0
0x 8F8
0x 454
0x 430
0x 9AC
0x B38
0x 828
0x 334
0x F7C
0x B1C
0x FD8
0x BD0
0x A00
0x FEC
0x 918
0x E48
0x DF8
0x E88
0x B14
0x F1C
0x E74
0x AC0
0x E68
0x DA8
0x D44
0x B84
0x DC8
0x BA8
0x C64
0x CEC
0x DBC
0x F8C
0x AB0
0x F50
0x 928
0x E1C
0x BFC
0x DA0
0x A7C
0x B70
0x C38
0x D1C
0x DDC
0x 9E4
0x E64
0x C1C
0x 610
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d0fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f0fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x000fffff Private Memory rw True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f5fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000100000 0x00100000 0x00101fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
oleaccrc.dll 0x00120000 0x00120fff Memory Mapped File r False False False -
pagefile_0x0000000000120000 0x00120000 0x00125fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000130000 0x00130000 0x00131fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000140000 0x00140000 0x00146fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
pagefile_0x0000000000350000 0x00350000 0x00351fff Pagefile Backed Memory rw True False False -
cversions.2.db 0x00360000 0x00363fff Memory Mapped File r True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db 0x00370000 0x0038efff Memory Mapped File r True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db 0x00390000 0x003bffff Memory Mapped File r True False False -
cversions.2.db 0x003c0000 0x003c3fff Memory Mapped File r True False False -
pagefile_0x00000000003d0000 0x003d0000 0x003d0fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000003e0000 0x003e0000 0x003e0fff Pagefile Backed Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x003fffff Private Memory rw True False False -
cversions.2.db 0x00400000 0x00403fff Memory Mapped File r True False False -
private_0x0000000000440000 0x00440000 0x0053ffff Private Memory rw True False False -
pagefile_0x0000000000540000 0x00540000 0x006c7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006d0000 0x006d0000 0x00850fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000860000 0x00860000 0x01c5ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01c60000 0x01f2efff Memory Mapped File r False False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x01f30000 0x01f95fff Memory Mapped File r True False False -
private_0x0000000001fa0000 0x01fa0000 0x0201ffff Private Memory rw True False False -
private_0x0000000002040000 0x02040000 0x0213ffff Private Memory rw True False False -
private_0x0000000002080000 0x02080000 0x0217ffff Private Memory rw True False False -
private_0x00000000020b0000 0x020b0000 0x021affff Private Memory rw True False False -
pagefile_0x00000000021b0000 0x021b0000 0x0228efff Pagefile Backed Memory r True False False -
private_0x0000000002370000 0x02370000 0x0246ffff Private Memory rw True False False -
private_0x0000000002470000 0x02470000 0x0256ffff Private Memory rw True False False -
pagefile_0x0000000002570000 0x02570000 0x02962fff Pagefile Backed Memory r True False False -
private_0x00000000029f0000 0x029f0000 0x02aeffff Private Memory rw True False False -
private_0x0000000002b50000 0x02b50000 0x02c4ffff Private Memory rw True False False -
private_0x0000000002bf0000 0x02bf0000 0x02ceffff Private Memory rw True False False -
private_0x0000000002c50000 0x02c50000 0x02d4ffff Private Memory rw True False False -
private_0x0000000002c70000 0x02c70000 0x02d6ffff Private Memory rw True False False -
private_0x0000000002d80000 0x02d80000 0x02e7ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
psapi.dll 0x76e80000 0x76e86fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
xhcdxx.exe 0x13f490000 0x13f4c5fff Memory Mapped File rwx True True False
...
ieframe.dll 0x7fef36a0000 0x7fef4256fff Memory Mapped File rwx False False False -
oleacc.dll 0x7fef48a0000 0x7fef48f3fff Memory Mapped File rwx False False False -
ieframe.dll 0x7fef4900000 0x7fef54b6fff Memory Mapped File rwx False False False -
oleacc.dll 0x7fef4e60000 0x7fef4eb3fff Memory Mapped File rwx False False False -
apphelp.dll 0x7fef9460000 0x7fef94b6fff Memory Mapped File rwx False False False -
api-ms-win-core-synch-l1-2-0.dll 0x7fef9ad0000 0x7fef9ad2fff Memory Mapped File rwx False False False -
ntmarta.dll 0x7fefab70000 0x7fefab9cfff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fefb560000 0x7fefb5b5fff Memory Mapped File rwx False False False -
propsys.dll 0x7fefb5c0000 0x7fefb6ebfff Memory Mapped File rwx False False False -
comctl32.dll 0x7fefb740000 0x7fefb933fff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
profapi.dll 0x7fefcc10000 0x7fefcc1efff Memory Mapped File rwx False False False -
msasn1.dll 0x7fefccb0000 0x7fefccbefff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fefccc0000 0x7fefccf5fff Memory Mapped File rwx False False False -
devobj.dll 0x7fefcd40000 0x7fefcd59fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
crypt32.dll 0x7fefcdd0000 0x7fefcf36fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
urlmon.dll 0x7fefd1e0000 0x7fefd357fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
shell32.dll 0x7fefd440000 0x7fefe1c7fff Memory Mapped File rwx False False False -
wininet.dll 0x7fefe1d0000 0x7fefe2f9fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
iertutil.dll 0x7fefe3f0000 0x7fefe648fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
setupapi.dll 0x7fefe920000 0x7fefeaf6fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
wldap32.dll 0x7fefee60000 0x7fefeeb1fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (5)
»
Operation Filename Additional Information Success Count Logfile
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Delete - - False 1
Fn
Process (287)
»
Operation Process Additional Information Success Count Logfile
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create taskkill show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 2
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 2
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 2
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create net show_window = SW_HIDE True 1
Fn
Create C:\Windows\System32\cmd.exe show_window = SW_HIDE True 1
Fn
Open System desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\sppsvc.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\mobsync.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\wbem\wmiprvse.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskkill.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net1.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net1.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskkill.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net1.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\taskkill.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net1.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net1.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\taskkill.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net1.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\net.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_ALL_ACCESS False 1
Fn
Thread (2)
»
Operation Process Additional Information Success Count Logfile
Create c:\windows\system32\dwm.exe proc_address = 0x13f491a30, proc_parameter = 5356716032, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create c:\windows\system32\taskhost.exe proc_address = 0x13f491a30, proc_parameter = 5356716032, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Memory (5)
»
Operation Process Additional Information Success Count Logfile
Allocate c:\windows\system32\dwm.exe address = 0x13f490000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 True 1
Fn
Allocate c:\windows\system32\taskhost.exe address = 0x13f490000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 True 1
Fn
Allocate c:\windows\system32\conhost.exe address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 221184 False 1
Fn
Write c:\windows\system32\dwm.exe address = 0x13f490000, size = 221184 True 1
Fn
Data
Write c:\windows\system32\taskhost.exe address = 0x13f490000, size = 221184 True 1
Fn
Data
Module (43)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 2
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x7fef9ad0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 4
Fn
Load kernel32 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x76aa0000 True 2
Fn
Load advapi32 base_address = 0x0 False 1
Fn
Load advapi32 base_address = 0x7fefec60000 True 1
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 2
Fn
Load kernel32.dll base_address = 0x76aa0000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x0 False 2
Fn
Load ext-ms-win-kernel32-package-current-l1-1-0 base_address = 0x0 False 2
Fn
Get Handle c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe base_address = 0x13f490000 True 5
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xhcdxx.exe, size = 260 True 3
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xhcdxx.exe, size = 320 True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xhcdxx.exe, size = 100 True 1
Fn
Get Address c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll function = InitializeCriticalSectionEx, address_out = 0x0 False 2
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsAlloc, address_out = 0x76ab7190 True 2
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsSetValue, address_out = 0x76abbd90 True 2
Fn
Get Address c:\windows\system32\advapi32.dll function = EventRegister, address_out = 0x76cfcac0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = EventSetInformation, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsGetValue, address_out = 0x76ac3520 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LCMapStringEx, address_out = 0x76aeb710 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsWow64Process, address_out = 0x76aa91d0 True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
System (24)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 2
Fn
Sleep duration = 300 milliseconds (0.300 seconds) True 18
Fn
Get Time type = System Time, time = 2018-11-27 08:42:07 (UTC) True 1
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 2
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #421: taskkill.exe
0 0
»
Information Value
ID #421
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:23, Reason: Child Process
Unmonitor End Time: 00:03:42, Reason: Self Terminated
Monitor Duration 00:00:19
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x278
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 634
0x 338
0x 7B8
0x 610
0x 60C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x00000000004b0000 0x004b0000 0x004bffff Private Memory rw True False False -
pagefile_0x00000000004c0000 0x004c0000 0x00647fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000650000 0x00650000 0x007d0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007e0000 0x007e0000 0x01bdffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01be0000 0x01c9ffff Memory Mapped File rw False False False -
private_0x0000000001cc0000 0x01cc0000 0x01d3ffff Private Memory rw True False False -
private_0x0000000001d60000 0x01d60000 0x01ddffff Private Memory rw True False False -
private_0x0000000001e40000 0x01e40000 0x01ebffff Private Memory rw True False False -
private_0x0000000001ee0000 0x01ee0000 0x01f5ffff Private Memory rw True False False -
sortdefault.nls 0x01f60000 0x0222efff Memory Mapped File r False False False -
private_0x0000000002260000 0x02260000 0x022dffff Private Memory rw True False False -
private_0x0000000002440000 0x02440000 0x024bffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #422: taskkill.exe
0 0
»
Information Value
ID #422
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:23, Reason: Child Process
Unmonitor End Time: 00:03:43, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x430
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 530
0x 780
0x 348
0x 354
0x 7A4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory rw True False False -
taskkill.exe.mui 0x00170000 0x00173fff Memory Mapped File rw False False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0019ffff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x001a0fff Private Memory rw True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c0fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
locale.nls 0x00250000 0x002b6fff Memory Mapped File r False False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
pagefile_0x00000000003c0000 0x003c0000 0x00547fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000550000 0x00550000 0x006d0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006e0000 0x006e0000 0x01adffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01ae0000 0x01b9ffff Memory Mapped File rw False False False -
private_0x0000000001ba0000 0x01ba0000 0x01c1ffff Private Memory rw True False False -
private_0x0000000001ca0000 0x01ca0000 0x01d1ffff Private Memory rw True False False -
private_0x0000000001d70000 0x01d70000 0x01deffff Private Memory rw True False False -
private_0x0000000001e00000 0x01e00000 0x01e7ffff Private Memory rw True False False -
sortdefault.nls 0x01e80000 0x0214efff Memory Mapped File r False False False -
private_0x0000000002150000 0x02150000 0x021cffff Private Memory rw True False False -
private_0x00000000022a0000 0x022a0000 0x0231ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7fef8880000 0x7fef8893fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
fastprox.dll 0x7fef8bb0000 0x7fef8c91fff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #423: taskkill.exe
0 0
»
Information Value
ID #423
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:23, Reason: Child Process
Unmonitor End Time: 00:03:43, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x234
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 21C
0x 350
0x 4D0
0x 640
0x 49C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
private_0x00000000004e0000 0x004e0000 0x004effff Private Memory rw True False False -
pagefile_0x00000000004f0000 0x004f0000 0x00677fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000680000 0x00680000 0x00800fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000810000 0x00810000 0x01c0ffff Pagefile Backed Memory r True False False -
private_0x0000000001c30000 0x01c30000 0x01caffff Private Memory rw True False False -
kernelbase.dll.mui 0x01cb0000 0x01d6ffff Memory Mapped File rw False False False -
private_0x0000000001e20000 0x01e20000 0x01e9ffff Private Memory rw True False False -
private_0x0000000001f20000 0x01f20000 0x01f9ffff Private Memory rw True False False -
private_0x0000000001ff0000 0x01ff0000 0x0206ffff Private Memory rw True False False -
private_0x0000000002110000 0x02110000 0x0218ffff Private Memory rw True False False -
private_0x0000000002190000 0x02190000 0x0220ffff Private Memory rw True False False -
sortdefault.nls 0x02210000 0x024defff Memory Mapped File r False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #424: taskkill.exe
0 0
»
Information Value
ID #424
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:24, Reason: Child Process
Unmonitor End Time: 00:03:42, Reason: Self Terminated
Monitor Duration 00:00:18
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x69c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 528
0x 78C
0x 7E0
0x 6D4
0x 504
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
kernelbase.dll.mui 0x001b0000 0x0026ffff Memory Mapped File rw False False False -
private_0x0000000000270000 0x00270000 0x0027ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
pagefile_0x00000000004b0000 0x004b0000 0x00637fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000640000 0x00640000 0x007c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007d0000 0x007d0000 0x01bcffff Pagefile Backed Memory r True False False -
private_0x0000000001bd0000 0x01bd0000 0x01c4ffff Private Memory rw True False False -
private_0x0000000001c50000 0x01c50000 0x01ccffff Private Memory rw True False False -
private_0x0000000001d30000 0x01d30000 0x01daffff Private Memory rw True False False -
private_0x0000000001ee0000 0x01ee0000 0x01f5ffff Private Memory rw True False False -
sortdefault.nls 0x01f60000 0x0222efff Memory Mapped File r False False False -
private_0x00000000022f0000 0x022f0000 0x0236ffff Private Memory rw True False False -
private_0x00000000023a0000 0x023a0000 0x0241ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #425: taskkill.exe
0 0
»
Information Value
ID #425
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:24, Reason: Child Process
Unmonitor End Time: 00:03:42, Reason: Self Terminated
Monitor Duration 00:00:18
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x728
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 730
0x 7D4
0x 4E0
0x 814
0x 818
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
pagefile_0x0000000000410000 0x00410000 0x00597fff Pagefile Backed Memory r True False False -
private_0x00000000005a0000 0x005a0000 0x005affff Private Memory rw True False False -
pagefile_0x00000000005b0000 0x005b0000 0x00730fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000740000 0x00740000 0x01b3ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b40000 0x01bfffff Memory Mapped File rw False False False -
rsaenh.dll 0x01c00000 0x01c44fff Memory Mapped File r False False False -
private_0x0000000001c40000 0x01c40000 0x01cbffff Private Memory rw True False False -
private_0x0000000001d20000 0x01d20000 0x01d9ffff Private Memory rw True False False -
private_0x0000000001e90000 0x01e90000 0x01f0ffff Private Memory rw True False False -
private_0x0000000002030000 0x02030000 0x020affff Private Memory rw True False False -
sortdefault.nls 0x020b0000 0x0237efff Memory Mapped File r False False False -
private_0x0000000002380000 0x02380000 0x023fffff Private Memory rw True False False -
private_0x00000000024b0000 0x024b0000 0x0252ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #426: taskkill.exe
0 0
»
Information Value
ID #426
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM excel.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:24, Reason: Child Process
Unmonitor End Time: 00:03:43, Reason: Self Terminated
Monitor Duration 00:00:19
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x334
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 330
0x 82C
0x 840
0x 85C
0x 860
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x001e0000 0x001e3fff Memory Mapped File rw False False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x00200fff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
pagefile_0x0000000000390000 0x00390000 0x00390fff Pagefile Backed Memory r True False False -
pagefile_0x00000000003a0000 0x003a0000 0x003a0fff Pagefile Backed Memory r True False False -
private_0x00000000003b0000 0x003b0000 0x003bffff Private Memory rw True False False -
pagefile_0x00000000003c0000 0x003c0000 0x00547fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000550000 0x00550000 0x006d0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006e0000 0x006e0000 0x01adffff Pagefile Backed Memory r True False False -
private_0x0000000001b30000 0x01b30000 0x01baffff Private Memory rw True False False -
kernelbase.dll.mui 0x01bb0000 0x01c6ffff Memory Mapped File rw False False False -
private_0x0000000001d10000 0x01d10000 0x01d8ffff Private Memory rw True False False -
private_0x0000000001de0000 0x01de0000 0x01e5ffff Private Memory rw True False False -
sortdefault.nls 0x01e60000 0x0212efff Memory Mapped File r False False False -
private_0x0000000002200000 0x02200000 0x0227ffff Private Memory rw True False False -
private_0x0000000002370000 0x02370000 0x023effff Private Memory rw True False False -
private_0x0000000002420000 0x02420000 0x0249ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7fef8880000 0x7fef8893fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
fastprox.dll 0x7fef8bb0000 0x7fef8c91fff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #428: taskkill.exe
0 0
»
Information Value
ID #428
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:25, Reason: Child Process
Unmonitor End Time: 00:03:44, Reason: Self Terminated
Monitor Duration 00:00:19
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x768
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 764
0x 87C
0x 8A8
0x 8EC
0x 8F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0005ffff Private Memory rw True False False -
pagefile_0x0000000000060000 0x00060000 0x00066fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
pagefile_0x0000000000160000 0x00160000 0x00161fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00170000 0x00173fff Memory Mapped File rw False False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory rw True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
pagefile_0x00000000003f0000 0x003f0000 0x00577fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000580000 0x00580000 0x00700fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000710000 0x00710000 0x01b0ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b10000 0x01bcffff Memory Mapped File rw False False False -
private_0x0000000001c10000 0x01c10000 0x01c8ffff Private Memory rw True False False -
private_0x0000000001c90000 0x01c90000 0x01d0ffff Private Memory rw True False False -
private_0x0000000001e50000 0x01e50000 0x01ecffff Private Memory rw True False False -
sortdefault.nls 0x01ed0000 0x0219efff Memory Mapped File r False False False -
private_0x00000000021b0000 0x021b0000 0x0222ffff Private Memory rw True False False -
private_0x0000000002290000 0x02290000 0x0230ffff Private Memory rw True False False -
private_0x0000000002360000 0x02360000 0x023dffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #429: taskkill.exe
0 0
»
Information Value
ID #429
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:26, Reason: Child Process
Unmonitor End Time: 00:03:42, Reason: Self Terminated
Monitor Duration 00:00:16
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7e4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 128
0x 894
0x 8B0
0x 8BC
0x 8C0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
pagefile_0x0000000000140000 0x00140000 0x00146fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00160000 0x00163fff Memory Mapped File rw False False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory r True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
private_0x00000000002c0000 0x002c0000 0x0033ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
pagefile_0x0000000000460000 0x00460000 0x005e7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005f0000 0x005f0000 0x00770fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000780000 0x00780000 0x01b7ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b80000 0x01c3ffff Memory Mapped File rw False False False -
private_0x0000000001c60000 0x01c60000 0x01cdffff Private Memory rw True False False -
private_0x0000000001d40000 0x01d40000 0x01dbffff Private Memory rw True False False -
private_0x0000000001ed0000 0x01ed0000 0x01f4ffff Private Memory rw True False False -
sortdefault.nls 0x01f50000 0x0221efff Memory Mapped File r False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #430: taskkill.exe
0 0
»
Information Value
ID #430
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:26, Reason: Child Process
Unmonitor End Time: 00:03:42, Reason: Self Terminated
Monitor Duration 00:00:16
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x178
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 804
0x 890
0x 8AC
0x 8D8
0x 8DC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
pagefile_0x0000000000450000 0x00450000 0x005d7fff Pagefile Backed Memory r True False False -
private_0x0000000000640000 0x00640000 0x0064ffff Private Memory rw True False False -
pagefile_0x0000000000650000 0x00650000 0x007d0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007e0000 0x007e0000 0x01bdffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01be0000 0x01c9ffff Memory Mapped File rw False False False -
private_0x0000000001cb0000 0x01cb0000 0x01d2ffff Private Memory rw True False False -
private_0x0000000001d70000 0x01d70000 0x01deffff Private Memory rw True False False -
private_0x0000000001e20000 0x01e20000 0x01e9ffff Private Memory rw True False False -
sortdefault.nls 0x01ea0000 0x0216efff Memory Mapped File r False False False -
private_0x0000000002260000 0x02260000 0x022dffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #431: taskkill.exe
0 0
»
Information Value
ID #431
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:26, Reason: Child Process
Unmonitor End Time: 00:03:42, Reason: Self Terminated
Monitor Duration 00:00:16
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x834
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 838
0x 90C
0x 91C
0x 924
0x 928
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
kernelbase.dll.mui 0x001d0000 0x0028ffff Memory Mapped File rw False False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
private_0x0000000000520000 0x00520000 0x0052ffff Private Memory rw True False False -
pagefile_0x0000000000530000 0x00530000 0x006b7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006c0000 0x006c0000 0x00840fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000850000 0x00850000 0x01c4ffff Pagefile Backed Memory r True False False -
private_0x0000000001c70000 0x01c70000 0x01ceffff Private Memory rw True False False -
private_0x0000000001d80000 0x01d80000 0x01dfffff Private Memory rw True False False -
private_0x0000000001e60000 0x01e60000 0x01edffff Private Memory rw True False False -
sortdefault.nls 0x01ee0000 0x021aefff Memory Mapped File r False False False -
private_0x00000000022b0000 0x022b0000 0x0232ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #432: taskkill.exe
0 0
»
Information Value
ID #432
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:27, Reason: Child Process
Unmonitor End Time: 00:03:44, Reason: Self Terminated
Monitor Duration 00:00:17
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x86c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 870
0x 980
0x 9AC
0x 9C8
0x 9CC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
taskkill.exe.mui 0x000f0000 0x000f3fff Memory Mapped File rw False False False -
private_0x0000000000100000 0x00100000 0x001fffff Private Memory rw True False False -
locale.nls 0x00200000 0x00266fff Memory Mapped File r False False False -
private_0x0000000000270000 0x00270000 0x00270fff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory r True False False -
private_0x00000000002a0000 0x002a0000 0x0031ffff Private Memory rw True False False -
pagefile_0x0000000000320000 0x00320000 0x00320fff Pagefile Backed Memory r True False False -
private_0x0000000000340000 0x00340000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
pagefile_0x0000000000450000 0x00450000 0x005d7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005e0000 0x005e0000 0x00760fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000770000 0x00770000 0x01b6ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b70000 0x01c2ffff Memory Mapped File rw False False False -
private_0x0000000001c50000 0x01c50000 0x01ccffff Private Memory rw True False False -
private_0x0000000001d10000 0x01d10000 0x01d8ffff Private Memory rw True False False -
private_0x0000000001e10000 0x01e10000 0x01e8ffff Private Memory rw True False False -
private_0x0000000001ec0000 0x01ec0000 0x01f3ffff Private Memory rw True False False -
sortdefault.nls 0x01f40000 0x0220efff Memory Mapped File r False False False -
private_0x0000000002300000 0x02300000 0x0237ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #433: taskkill.exe
0 0
»
Information Value
ID #433
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:27, Reason: Child Process
Unmonitor End Time: 00:03:43, Reason: Self Terminated
Monitor Duration 00:00:16
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x888
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 88C
0x 99C
0x 9B4
0x 9E8
0x 9EC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
pagefile_0x0000000000140000 0x00140000 0x00146fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory rw True False False -
taskkill.exe.mui 0x00170000 0x00173fff Memory Mapped File rw False False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
pagefile_0x00000000003a0000 0x003a0000 0x00527fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000530000 0x00530000 0x006b0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006c0000 0x006c0000 0x01abffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01ac0000 0x01b7ffff Memory Mapped File rw False False False -
pagefile_0x0000000001b80000 0x01b80000 0x01b80fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001b90000 0x01b90000 0x01b90fff Pagefile Backed Memory r True False False -
private_0x0000000001ba0000 0x01ba0000 0x01c1ffff Private Memory rw True False False -
private_0x0000000001d00000 0x01d00000 0x01d7ffff Private Memory rw True False False -
private_0x0000000001de0000 0x01de0000 0x01e5ffff Private Memory rw True False False -
private_0x0000000001e70000 0x01e70000 0x01eeffff Private Memory rw True False False -
private_0x0000000001ef0000 0x01ef0000 0x01f6ffff Private Memory rw True False False -
private_0x0000000002020000 0x02020000 0x0209ffff Private Memory rw True False False -
sortdefault.nls 0x020a0000 0x0236efff Memory Mapped File r False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #435: taskkill.exe
0 0
»
Information Value
ID #435
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:28, Reason: Child Process
Unmonitor End Time: 00:03:43, Reason: Self Terminated
Monitor Duration 00:00:15
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8b4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8B8
0x 9A0
0x 9BC
0x A00
0x A04
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
pagefile_0x0000000000140000 0x00140000 0x00146fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00160000 0x00163fff Memory Mapped File rw False False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
kernelbase.dll.mui 0x003b0000 0x0046ffff Memory Mapped File rw False False False -
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory rw True False False -
pagefile_0x0000000000490000 0x00490000 0x00617fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000620000 0x00620000 0x007a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007b0000 0x007b0000 0x01baffff Pagefile Backed Memory r True False False -
private_0x0000000001c10000 0x01c10000 0x01c8ffff Private Memory rw True False False -
private_0x0000000001cd0000 0x01cd0000 0x01d4ffff Private Memory rw True False False -
private_0x0000000001df0000 0x01df0000 0x01e6ffff Private Memory rw True False False -
private_0x0000000001f10000 0x01f10000 0x01f8ffff Private Memory rw True False False -
sortdefault.nls 0x01f90000 0x0225efff Memory Mapped File r False False False -
private_0x0000000002300000 0x02300000 0x0237ffff Private Memory rw True False False -
private_0x00000000023a0000 0x023a0000 0x0241ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #436: taskkill.exe
0 0
»
Information Value
ID #436
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:28, Reason: Child Process
Unmonitor End Time: 00:03:42, Reason: Self Terminated
Monitor Duration 00:00:14
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8e0
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8E4
0x 998
0x 9B0
0x 9D0
0x 9D4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c6fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
pagefile_0x0000000000250000 0x00250000 0x00251fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00260000 0x00263fff Memory Mapped File rw False False False -
private_0x0000000000270000 0x00270000 0x00270fff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
kernelbase.dll.mui 0x00290000 0x0034ffff Memory Mapped File rw False False False -
pagefile_0x0000000000350000 0x00350000 0x00350fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000360000 0x00360000 0x00360fff Pagefile Backed Memory r True False False -
private_0x0000000000380000 0x00380000 0x0038ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
pagefile_0x00000000004a0000 0x004a0000 0x00627fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000630000 0x00630000 0x007b0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007c0000 0x007c0000 0x01bbffff Pagefile Backed Memory r True False False -
private_0x0000000001c60000 0x01c60000 0x01cdffff Private Memory rw True False False -
private_0x0000000001d30000 0x01d30000 0x01daffff Private Memory rw True False False -
private_0x0000000001e10000 0x01e10000 0x01e8ffff Private Memory rw True False False -
private_0x0000000002080000 0x02080000 0x020fffff Private Memory rw True False False -
sortdefault.nls 0x02100000 0x023cefff Memory Mapped File r False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #437: taskkill.exe
0 0
»
Information Value
ID #437
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:28, Reason: Child Process
Unmonitor End Time: 00:03:43, Reason: Self Terminated
Monitor Duration 00:00:15
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x900
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 904
0x 9C4
0x A18
0x A28
0x A2C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
kernelbase.dll.mui 0x00270000 0x0032ffff Memory Mapped File rw False False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0055ffff Private Memory rw True False False -
pagefile_0x0000000000560000 0x00560000 0x006e7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006f0000 0x006f0000 0x00870fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000880000 0x00880000 0x01c7ffff Pagefile Backed Memory r True False False -
private_0x0000000001d10000 0x01d10000 0x01d8ffff Private Memory rw True False False -
private_0x0000000001e50000 0x01e50000 0x01ecffff Private Memory rw True False False -
private_0x0000000001f90000 0x01f90000 0x0200ffff Private Memory rw True False False -
sortdefault.nls 0x02010000 0x022defff Memory Mapped File r False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #438: taskkill.exe
0 0
»
Information Value
ID #438
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:28, Reason: Child Process
Unmonitor End Time: 00:03:42, Reason: Self Terminated
Monitor Duration 00:00:14
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x940
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 944
0x 9E0
0x A1C
0x A34
0x A38
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00160000 0x00163fff Memory Mapped File rw False False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory r True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
pagefile_0x0000000000430000 0x00430000 0x005b7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005c0000 0x005c0000 0x00740fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000750000 0x00750000 0x01b4ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b50000 0x01c0ffff Memory Mapped File rw False False False -
private_0x0000000001c90000 0x01c90000 0x01d0ffff Private Memory rw True False False -
private_0x0000000001d20000 0x01d20000 0x01d9ffff Private Memory rw True False False -
private_0x0000000001e30000 0x01e30000 0x01eaffff Private Memory rw True False False -
sortdefault.nls 0x01eb0000 0x0217efff Memory Mapped File r False False False -
private_0x0000000002210000 0x02210000 0x0228ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #439: taskkill.exe
0 0
»
Information Value
ID #439
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:29, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:21
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x96c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 970
0x A6C
0x AB0
0x ABC
0x AC0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
pagefile_0x0000000000250000 0x00250000 0x00251fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00260000 0x00263fff Memory Mapped File rw False False False -
private_0x0000000000270000 0x00270000 0x00270fff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
pagefile_0x00000000003c0000 0x003c0000 0x00547fff Pagefile Backed Memory r True False False -
private_0x00000000005a0000 0x005a0000 0x005affff Private Memory rw True False False -
pagefile_0x00000000005b0000 0x005b0000 0x00730fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000740000 0x00740000 0x01b3ffff Pagefile Backed Memory r True False False -
private_0x0000000001bb0000 0x01bb0000 0x01c2ffff Private Memory rw True False False -
kernelbase.dll.mui 0x01c30000 0x01ceffff Memory Mapped File rw False False False -
private_0x0000000001d10000 0x01d10000 0x01d8ffff Private Memory rw True False False -
private_0x0000000001db0000 0x01db0000 0x01e2ffff Private Memory rw True False False -
sortdefault.nls 0x01e30000 0x020fefff Memory Mapped File r False False False -
private_0x0000000002180000 0x02180000 0x021fffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #440: taskkill.exe
0 0
»
Information Value
ID #440
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:29, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:21
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x98c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 990
0x A7C
0x AB4
0x AE0
0x AE4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
kernelbase.dll.mui 0x00440000 0x004fffff Memory Mapped File rw False False False -
private_0x0000000000540000 0x00540000 0x005bffff Private Memory rw True False False -
private_0x00000000005c0000 0x005c0000 0x005cffff Private Memory rw True False False -
pagefile_0x00000000005d0000 0x005d0000 0x00757fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000760000 0x00760000 0x008e0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000008f0000 0x008f0000 0x01ceffff Pagefile Backed Memory r True False False -
private_0x0000000001d40000 0x01d40000 0x01dbffff Private Memory rw True False False -
private_0x0000000001eb0000 0x01eb0000 0x01f2ffff Private Memory rw True False False -
private_0x00000000020f0000 0x020f0000 0x0216ffff Private Memory rw True False False -
sortdefault.nls 0x02170000 0x0243efff Memory Mapped File r False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #441: taskkill.exe
0 0
»
Information Value
ID #441
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:29, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:21
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9d8
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9DC
0x AFC
0x B34
0x B50
0x B54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00070000 0x00073fff Memory Mapped File rw False False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory rw True False False -
pagefile_0x00000000000a0000 0x000a0000 0x000a0fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0047ffff Private Memory rw True False False -
pagefile_0x0000000000480000 0x00480000 0x00607fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000610000 0x00610000 0x00790fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007a0000 0x007a0000 0x01b9ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01ba0000 0x01c5ffff Memory Mapped File rw False False False -
private_0x0000000001cc0000 0x01cc0000 0x01d3ffff Private Memory rw True False False -
private_0x0000000001d80000 0x01d80000 0x01dfffff Private Memory rw True False False -
private_0x0000000001e30000 0x01e30000 0x01eaffff Private Memory rw True False False -
sortdefault.nls 0x01eb0000 0x0217efff Memory Mapped File r False False False -
private_0x0000000002240000 0x02240000 0x022bffff Private Memory rw True False False -
private_0x0000000002390000 0x02390000 0x0240ffff Private Memory rw True False False -
private_0x0000000002520000 0x02520000 0x0259ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #442: taskkill.exe
0 0
»
Information Value
ID #442
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:30, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa10
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A14
0x AE8
0x B0C
0x B44
0x B48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory rw True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000f0000 0x000f3fff Memory Mapped File rw False False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x00290fff Private Memory rw True False False -
kernelbase.dll.mui 0x002a0000 0x0035ffff Memory Mapped File rw False False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
pagefile_0x0000000000460000 0x00460000 0x005e7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005f0000 0x005f0000 0x00770fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000780000 0x00780000 0x01b7ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001b80000 0x01b80000 0x01b80fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001b90000 0x01b90000 0x01b90fff Pagefile Backed Memory r True False False -
private_0x0000000001c30000 0x01c30000 0x01caffff Private Memory rw True False False -
private_0x0000000001d50000 0x01d50000 0x01dcffff Private Memory rw True False False -
private_0x0000000001e20000 0x01e20000 0x01e9ffff Private Memory rw True False False -
sortdefault.nls 0x01ea0000 0x0216efff Memory Mapped File r False False False -
private_0x00000000021c0000 0x021c0000 0x0223ffff Private Memory rw True False False -
private_0x0000000002240000 0x02240000 0x022bffff Private Memory rw True False False -
private_0x00000000022d0000 0x022d0000 0x0234ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #443: taskkill.exe
0 0
»
Information Value
ID #443
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:30, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa70
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A74
0x B64
0x B94
0x BA4
0x BA8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x00270fff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
private_0x00000000002b0000 0x002b0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x0033ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
pagefile_0x0000000000450000 0x00450000 0x005d7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005e0000 0x005e0000 0x00760fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000770000 0x00770000 0x01b6ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b70000 0x01c2ffff Memory Mapped File rw False False False -
private_0x0000000001cd0000 0x01cd0000 0x01d4ffff Private Memory rw True False False -
private_0x0000000001db0000 0x01db0000 0x01e2ffff Private Memory rw True False False -
sortdefault.nls 0x01e30000 0x020fefff Memory Mapped File r False False False -
private_0x00000000022b0000 0x022b0000 0x0232ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #444: taskkill.exe
0 0
»
Information Value
ID #444
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:30, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:20
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa94
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A98
0x B70
0x BA0
0x BAC
0x BB0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x001e0000 0x001e3fff Memory Mapped File rw False False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x00270fff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
private_0x00000000002f0000 0x002f0000 0x0036ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
pagefile_0x00000000004f0000 0x004f0000 0x00677fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000680000 0x00680000 0x00800fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000810000 0x00810000 0x01c0ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01c10000 0x01ccffff Memory Mapped File rw False False False -
private_0x0000000001cd0000 0x01cd0000 0x01d4ffff Private Memory rw True False False -
private_0x0000000001dd0000 0x01dd0000 0x01e4ffff Private Memory rw True False False -
sortdefault.nls 0x01e50000 0x0211efff Memory Mapped File r False False False -
private_0x0000000002230000 0x02230000 0x022affff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #445: taskkill.exe
0 0
»
Information Value
ID #445
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:31, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:19
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb00
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B04
0x BC8
0x BFC
0x 6D0
0x 73C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00070000 0x00073fff Memory Mapped File rw False False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory rw True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory r True False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
locale.nls 0x00240000 0x002a6fff Memory Mapped File r False False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x0047ffff Private Memory rw True False False -
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory rw True False False -
pagefile_0x00000000004b0000 0x004b0000 0x00637fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000640000 0x00640000 0x007c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007d0000 0x007d0000 0x01bcffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01bd0000 0x01c8ffff Memory Mapped File rw False False False -
private_0x0000000001cb0000 0x01cb0000 0x01d2ffff Private Memory rw True False False -
private_0x0000000001d30000 0x01d30000 0x01daffff Private Memory rw True False False -
sortdefault.nls 0x01db0000 0x0207efff Memory Mapped File r False False False -
private_0x0000000002100000 0x02100000 0x0217ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #446: taskkill.exe
0 0
»
Information Value
ID #446
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:31, Reason: Child Process
Unmonitor End Time: 00:03:46, Reason: Self Terminated
Monitor Duration 00:00:15
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb24
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B28
0x BB8
0x BF0
0x BF4
0x BF8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
pagefile_0x00000000004e0000 0x004e0000 0x00667fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000670000 0x00670000 0x007f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000800000 0x00800000 0x01bfffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01c00000 0x01cbffff Memory Mapped File rw False False False -
private_0x0000000001d50000 0x01d50000 0x01dcffff Private Memory rw True False False -
private_0x0000000001e50000 0x01e50000 0x01ecffff Private Memory rw True False False -
private_0x0000000001f10000 0x01f10000 0x01f8ffff Private Memory rw True False False -
private_0x0000000001fc0000 0x01fc0000 0x0203ffff Private Memory rw True False False -
sortdefault.nls 0x02040000 0x0230efff Memory Mapped File r False False False -
private_0x00000000023b0000 0x023b0000 0x0242ffff Private Memory rw True False False -
private_0x00000000024c0000 0x024c0000 0x0253ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #447: taskkill.exe
0 0
»
Information Value
ID #447
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:31, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:19
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb68
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B6C
0x 8C4
0x 8E8
0x 918
0x 15C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
taskkill.exe.mui 0x00160000 0x00163fff Memory Mapped File rw False False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
kernelbase.dll.mui 0x00430000 0x004effff Memory Mapped File rw False False False -
private_0x00000000004f0000 0x004f0000 0x004fffff Private Memory rw True False False -
pagefile_0x0000000000500000 0x00500000 0x00687fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000690000 0x00690000 0x00810fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000820000 0x00820000 0x01c1ffff Pagefile Backed Memory r True False False -
private_0x0000000001cb0000 0x01cb0000 0x01d2ffff Private Memory rw True False False -
private_0x0000000001d60000 0x01d60000 0x01ddffff Private Memory rw True False False -
private_0x0000000001e40000 0x01e40000 0x01ebffff Private Memory rw True False False -
private_0x0000000001f40000 0x01f40000 0x01fbffff Private Memory rw True False False -
private_0x0000000001fd0000 0x01fd0000 0x0204ffff Private Memory rw True False False -
sortdefault.nls 0x02050000 0x0231efff Memory Mapped File r False False False -
private_0x00000000023d0000 0x023d0000 0x0244ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #448: taskkill.exe
0 0
»
Information Value
ID #448
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:32, Reason: Child Process
Unmonitor End Time: 00:03:51, Reason: Self Terminated
Monitor Duration 00:00:19
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb88
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B8C
0x 7F8
0x A24
0x B20
0x B58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00070000 0x00073fff Memory Mapped File rw False False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory rw True False False -
pagefile_0x00000000000a0000 0x000a0000 0x000a0fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory rw True False False -
pagefile_0x00000000003e0000 0x003e0000 0x00567fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000570000 0x00570000 0x006f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000700000 0x00700000 0x01afffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b00000 0x01bbffff Memory Mapped File rw False False False -
private_0x0000000001c30000 0x01c30000 0x01caffff Private Memory rw True False False -
private_0x0000000001d50000 0x01d50000 0x01dcffff Private Memory rw True False False -
private_0x0000000001de0000 0x01de0000 0x01e5ffff Private Memory rw True False False -
private_0x0000000001f50000 0x01f50000 0x01fcffff Private Memory rw True False False -
sortdefault.nls 0x01fd0000 0x0229efff Memory Mapped File r False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #449: taskkill.exe
0 0
»
Information Value
ID #449
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:32, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:18
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbbc
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BC0
0x 908
0x 914
0x A9C
0x B3C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000cffff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001e0000 0x001e0000 0x001e1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x001f0000 0x001f3fff Memory Mapped File rw False False False -
private_0x0000000000200000 0x00200000 0x00200fff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x00290fff Private Memory rw True False False -
kernelbase.dll.mui 0x002a0000 0x0035ffff Memory Mapped File rw False False False -
pagefile_0x0000000000360000 0x00360000 0x00360fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000370000 0x00370000 0x00370fff Pagefile Backed Memory r True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
pagefile_0x0000000000510000 0x00510000 0x00697fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006a0000 0x006a0000 0x00820fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000830000 0x00830000 0x01c2ffff Pagefile Backed Memory r True False False -
private_0x0000000001c30000 0x01c30000 0x01caffff Private Memory rw True False False -
private_0x0000000001d90000 0x01d90000 0x01e0ffff Private Memory rw True False False -
private_0x0000000001ec0000 0x01ec0000 0x01f3ffff Private Memory rw True False False -
sortdefault.nls 0x01f40000 0x0220efff Memory Mapped File r False False False -
private_0x0000000002240000 0x02240000 0x022bffff Private Memory rw True False False -
private_0x00000000022f0000 0x022f0000 0x0236ffff Private Memory rw True False False -
private_0x00000000023a0000 0x023a0000 0x0241ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #450: taskkill.exe
0 0
»
Information Value
ID #450
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:32, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:18
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbd8
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BDC
0x 7CC
0x A78
0x BEC
0x BE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
taskkill.exe.mui 0x000f0000 0x000f3fff Memory Mapped File rw False False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory rw True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
pagefile_0x0000000000440000 0x00440000 0x005c7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005d0000 0x005d0000 0x00750fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000760000 0x00760000 0x01b5ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b60000 0x01c1ffff Memory Mapped File rw False False False -
private_0x0000000001ca0000 0x01ca0000 0x01d1ffff Private Memory rw True False False -
private_0x0000000001d40000 0x01d40000 0x01dbffff Private Memory rw True False False -
private_0x0000000001e90000 0x01e90000 0x01f0ffff Private Memory rw True False False -
sortdefault.nls 0x01f10000 0x021defff Memory Mapped File r False False False -
private_0x0000000002260000 0x02260000 0x022dffff Private Memory rw True False False -
private_0x0000000002370000 0x02370000 0x023effff Private Memory rw True False False -
private_0x00000000024a0000 0x024a0000 0x0251ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #451: taskkill.exe
0 0
»
Information Value
ID #451
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:32, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:18
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x548
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 520
0x A58
0x B74
0x C08
0x C0C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00070000 0x00073fff Memory Mapped File rw False False False -
private_0x0000000000080000 0x00080000 0x0017ffff Private Memory rw True False False -
locale.nls 0x00180000 0x001e6fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x00200fff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
pagefile_0x0000000000390000 0x00390000 0x00390fff Pagefile Backed Memory r True False False -
pagefile_0x00000000003a0000 0x003a0000 0x003a0fff Pagefile Backed Memory r True False False -
private_0x00000000003e0000 0x003e0000 0x0045ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory rw True False False -
pagefile_0x0000000000470000 0x00470000 0x005f7fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000600000 0x00600000 0x00780fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000790000 0x00790000 0x01b8ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b90000 0x01c4ffff Memory Mapped File rw False False False -
private_0x0000000001c50000 0x01c50000 0x01ccffff Private Memory rw True False False -
private_0x0000000001d10000 0x01d10000 0x01d8ffff Private Memory rw True False False -
private_0x0000000001d90000 0x01d90000 0x01e0ffff Private Memory rw True False False -
private_0x0000000001e70000 0x01e70000 0x01eeffff Private Memory rw True False False -
sortdefault.nls 0x01ef0000 0x021befff Memory Mapped File r False False False -
private_0x0000000002230000 0x02230000 0x022affff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #452: taskkill.exe
0 0
»
Information Value
ID #452
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM steam.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:33, Reason: Child Process
Unmonitor End Time: 00:03:49, Reason: Self Terminated
Monitor Duration 00:00:16
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x874
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8A4
0x 9F0
0x B90
0x 9A8
0x 974
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory rw True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
pagefile_0x0000000000480000 0x00480000 0x00607fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000610000 0x00610000 0x00790fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007a0000 0x007a0000 0x01b9ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01ba0000 0x01c5ffff Memory Mapped File rw False False False -
private_0x0000000001d00000 0x01d00000 0x01d7ffff Private Memory rw True False False -
private_0x0000000001ea0000 0x01ea0000 0x01f1ffff Private Memory rw True False False -
private_0x0000000001f30000 0x01f30000 0x01faffff Private Memory rw True False False -
sortdefault.nls 0x01fb0000 0x0227efff Memory Mapped File r False False False -
private_0x00000000022a0000 0x022a0000 0x0231ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #453: taskkill.exe
0 0
»
Information Value
ID #453
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:33, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:17
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7fc
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7D0
0x BD4
0x C38
0x C60
0x C64
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory rw True False False -
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
pagefile_0x0000000000490000 0x00490000 0x00617fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000620000 0x00620000 0x007a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007b0000 0x007b0000 0x01baffff Pagefile Backed Memory r True False False -
private_0x0000000001c40000 0x01c40000 0x01cbffff Private Memory rw True False False -
kernelbase.dll.mui 0x01cc0000 0x01d7ffff Memory Mapped File rw False False False -
private_0x0000000001de0000 0x01de0000 0x01e5ffff Private Memory rw True False False -
sortdefault.nls 0x01e60000 0x0212efff Memory Mapped File r False False False -
private_0x0000000002250000 0x02250000 0x022cffff Private Memory rw True False False -
private_0x0000000002320000 0x02320000 0x0239ffff Private Memory rw True False False -
private_0x0000000002430000 0x02430000 0x024affff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #454: taskkill.exe
0 0
»
Information Value
ID #454
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:34, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:16
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x994
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A0C
0x C04
0x C3C
0x C48
0x C4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c6fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
pagefile_0x0000000000250000 0x00250000 0x00251fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00260000 0x00263fff Memory Mapped File rw False False False -
private_0x0000000000270000 0x00270000 0x00270fff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
private_0x0000000000300000 0x00300000 0x0037ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
pagefile_0x0000000000490000 0x00490000 0x00617fff Pagefile Backed Memory r True False False -
private_0x0000000000660000 0x00660000 0x0066ffff Private Memory rw True False False -
pagefile_0x0000000000670000 0x00670000 0x007f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000800000 0x00800000 0x01bfffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01c00000 0x01cbffff Memory Mapped File rw False False False -
private_0x0000000001ce0000 0x01ce0000 0x01d5ffff Private Memory rw True False False -
private_0x0000000001e60000 0x01e60000 0x01edffff Private Memory rw True False False -
private_0x0000000001ef0000 0x01ef0000 0x01f6ffff Private Memory rw True False False -
sortdefault.nls 0x01f70000 0x0223efff Memory Mapped File r False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #455: taskkill.exe
0 0
»
Information Value
ID #455
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:34, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:16
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8d4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 89C
0x CC4
0x CEC
0x D2C
0x D30
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0005ffff Private Memory rw True False False -
pagefile_0x0000000000060000 0x00060000 0x00066fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000070000 0x00070000 0x00071fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00080000 0x00083fff Memory Mapped File rw False False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory rw True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
private_0x00000000001c0000 0x001c0000 0x0023ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
pagefile_0x0000000000440000 0x00440000 0x005c7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005d0000 0x005d0000 0x00750fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000760000 0x00760000 0x01b5ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b60000 0x01c1ffff Memory Mapped File rw False False False -
private_0x0000000001d10000 0x01d10000 0x01d8ffff Private Memory rw True False False -
private_0x0000000001e80000 0x01e80000 0x01efffff Private Memory rw True False False -
private_0x0000000002040000 0x02040000 0x020bffff Private Memory rw True False False -
sortdefault.nls 0x020c0000 0x0238efff Memory Mapped File r False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #456: taskkill.exe
0 0
»
Information Value
ID #456
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:35, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:15
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc18
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C1C
0x CC8
0x CF0
0x D44
0x D48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x001fffff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
pagefile_0x0000000000420000 0x00420000 0x005a7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005b0000 0x005b0000 0x00730fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000740000 0x00740000 0x01b3ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b40000 0x01bfffff Memory Mapped File rw False False False -
private_0x0000000001c90000 0x01c90000 0x01d0ffff Private Memory rw True False False -
private_0x0000000001db0000 0x01db0000 0x01e2ffff Private Memory rw True False False -
private_0x0000000001ec0000 0x01ec0000 0x01f3ffff Private Memory rw True False False -
private_0x0000000002000000 0x02000000 0x0207ffff Private Memory rw True False False -
sortdefault.nls 0x02080000 0x0234efff Memory Mapped File r False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #457: taskkill.exe
0 0
»
Information Value
ID #457
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:35, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:15
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc40
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C44
0x CE4
0x CF8
0x D54
0x D58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory rw True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
taskkill.exe.mui 0x00270000 0x00273fff Memory Mapped File rw False False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x00290fff Private Memory rw True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002b0000 0x002b0000 0x002b0fff Pagefile Backed Memory r True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
pagefile_0x0000000000400000 0x00400000 0x00587fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000590000 0x00590000 0x00710fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000720000 0x00720000 0x01b1ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b20000 0x01bdffff Memory Mapped File rw False False False -
private_0x0000000001c60000 0x01c60000 0x01cdffff Private Memory rw True False False -
private_0x0000000001d80000 0x01d80000 0x01dfffff Private Memory rw True False False -
private_0x0000000001e50000 0x01e50000 0x01ecffff Private Memory rw True False False -
sortdefault.nls 0x01ed0000 0x0219efff Memory Mapped File r False False False -
private_0x0000000002280000 0x02280000 0x022fffff Private Memory rw True False False -
private_0x0000000002330000 0x02330000 0x023affff Private Memory rw True False False -
private_0x0000000002430000 0x02430000 0x024affff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #458: taskkill.exe
0 0
»
Information Value
ID #458
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM visio.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:35, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:15
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc68
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C6C
0x CF4
0x D50
0x D7C
0x D80
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory rw True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
taskkill.exe.mui 0x00270000 0x00273fff Memory Mapped File rw False False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x00290fff Private Memory rw True False False -
kernelbase.dll.mui 0x002a0000 0x0035ffff Memory Mapped File rw False False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
pagefile_0x0000000000460000 0x00460000 0x005e7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005f0000 0x005f0000 0x00770fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000780000 0x00780000 0x01b7ffff Pagefile Backed Memory r True False False -
private_0x0000000001b80000 0x01b80000 0x01bfffff Private Memory rw True False False -
pagefile_0x0000000001c00000 0x01c00000 0x01c00fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001c10000 0x01c10000 0x01c10fff Pagefile Backed Memory r True False False -
private_0x0000000001d60000 0x01d60000 0x01ddffff Private Memory rw True False False -
private_0x0000000001ef0000 0x01ef0000 0x01f6ffff Private Memory rw True False False -
sortdefault.nls 0x01f70000 0x0223efff Memory Mapped File r False False False -
private_0x0000000002270000 0x02270000 0x022effff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #459: taskkill.exe
0 0
»
Information Value
ID #459
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM winword.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:35, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:15
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc80
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C84
0x CE8
0x D0C
0x D5C
0x D60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
taskkill.exe.mui 0x00160000 0x00163fff Memory Mapped File rw False False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x0021ffff Private Memory rw True False False -
pagefile_0x0000000000220000 0x00220000 0x00220fff Pagefile Backed Memory r True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
pagefile_0x0000000000430000 0x00430000 0x005b7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005c0000 0x005c0000 0x00740fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000750000 0x00750000 0x01b4ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01b50000 0x01c0ffff Memory Mapped File rw False False False -
pagefile_0x0000000001c10000 0x01c10000 0x01c10fff Pagefile Backed Memory r True False False -
private_0x0000000001cb0000 0x01cb0000 0x01d2ffff Private Memory rw True False False -
private_0x0000000001d70000 0x01d70000 0x01deffff Private Memory rw True False False -
private_0x0000000001ea0000 0x01ea0000 0x01f1ffff Private Memory rw True False False -
sortdefault.nls 0x01f20000 0x021eefff Memory Mapped File r False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #460: taskkill.exe
0 0
»
Information Value
ID #460
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:35, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:15
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xca4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CA8
0x D9C
0x DB4
0x DBC
0x DC0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
kernelbase.dll.mui 0x001f0000 0x002affff Memory Mapped File rw False False False -
private_0x00000000002b0000 0x002b0000 0x002bffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0054ffff Private Memory rw True False False -
pagefile_0x0000000000550000 0x00550000 0x006d7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006e0000 0x006e0000 0x00860fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000870000 0x00870000 0x01c6ffff Pagefile Backed Memory r True False False -
private_0x0000000001c90000 0x01c90000 0x01d0ffff Private Memory rw True False False -
private_0x0000000001d10000 0x01d10000 0x01d8ffff Private Memory rw True False False -
private_0x0000000001ea0000 0x01ea0000 0x01f1ffff Private Memory rw True False False -
private_0x0000000002100000 0x02100000 0x0217ffff Private Memory rw True False False -
sortdefault.nls 0x02180000 0x0244efff Memory Mapped File r False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #461: taskkill.exe
0 0
»
Information Value
ID #461
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:35, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:15
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcb8
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CBC
0x DA0
0x DB8
0x DC8
0x DCC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00070000 0x00073fff Memory Mapped File rw False False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory rw True False False -
pagefile_0x00000000000a0000 0x000a0000 0x000a0fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x004effff Private Memory rw True False False -
private_0x00000000004f0000 0x004f0000 0x004fffff Private Memory rw True False False -
pagefile_0x0000000000500000 0x00500000 0x00687fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000690000 0x00690000 0x00810fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000820000 0x00820000 0x01c1ffff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x01c20000 0x01cdffff Memory Mapped File rw False False False -
private_0x0000000001d60000 0x01d60000 0x01ddffff Private Memory rw True False False -
private_0x0000000001df0000 0x01df0000 0x01e6ffff Private Memory rw True False False -
private_0x0000000001e80000 0x01e80000 0x01efffff Private Memory rw True False False -
private_0x0000000001fb0000 0x01fb0000 0x0202ffff Private Memory rw True False False -
sortdefault.nls 0x02030000 0x022fefff Memory Mapped File r False False False -
private_0x0000000002490000 0x02490000 0x0250ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #462: taskkill.exe
0 0
»
Information Value
ID #462
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:36, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:14
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcfc
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D00
0x DEC
0x E14
0x E4C
0x E50
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x000e0000 0x000e3fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x0017ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
kernelbase.dll.mui 0x00370000 0x0042ffff Memory Mapped File rw False False False -
private_0x0000000000430000 0x00430000 0x0052ffff Private Memory rw True False False -
pagefile_0x0000000000530000 0x00530000 0x006b7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006c0000 0x006c0000 0x00840fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000850000 0x00850000 0x01c4ffff Pagefile Backed Memory r True False False -
private_0x0000000001cc0000 0x01cc0000 0x01d3ffff Private Memory rw True False False -
private_0x0000000001e60000 0x01e60000 0x01edffff Private Memory rw True False False -
private_0x0000000001fe0000 0x01fe0000 0x0205ffff Private Memory rw True False False -
sortdefault.nls 0x02060000 0x0232efff Memory Mapped File r False False False -
private_0x0000000002330000 0x02330000 0x023affff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #463: taskkill.exe
0 0
»
Information Value
ID #463
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:36, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:14
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd18
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D1C
0x DD4
0x E04
0x E3C
0x E40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
private_0x0000000000070000 0x00070000 0x0007ffff Private Memory rw True False False -
taskkill.exe.mui 0x00080000 0x00083fff Memory Mapped File rw False False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x000a0fff Private Memory rw True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
kernelbase.dll.mui 0x001a0000 0x0025ffff Memory Mapped File rw False False False -
pagefile_0x0000000000260000 0x00260000 0x00260fff Pagefile Backed Memory r True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
pagefile_0x0000000000470000 0x00470000 0x005f7fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000600000 0x00600000 0x00780fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000790000 0x00790000 0x01b8ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001b90000 0x01b90000 0x01b90fff Pagefile Backed Memory r True False False -
private_0x0000000001c00000 0x01c00000 0x01c7ffff Private Memory rw True False False -
private_0x0000000001ca0000 0x01ca0000 0x01d1ffff Private Memory rw True False False -
private_0x0000000001d20000 0x01d20000 0x01d9ffff Private Memory rw True False False -
private_0x0000000001de0000 0x01de0000 0x01e5ffff Private Memory rw True False False -
sortdefault.nls 0x01e60000 0x0212efff Memory Mapped File r False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #464: taskkill.exe
0 0
»
Information Value
ID #464
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:36, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:14
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd6c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D70
0x E00
0x E24
0x E5C
0x E60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
taskkill.exe.mui 0x000f0000 0x000f3fff Memory Mapped File rw False False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory rw True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
pagefile_0x0000000000480000 0x00480000 0x00607fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000610000 0x00610000 0x00790fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007a0000 0x007a0000 0x01b9ffff Pagefile Backed Memory r True False False -
private_0x0000000001ba0000 0x01ba0000 0x01c1ffff Private Memory rw True False False -
kernelbase.dll.mui 0x01c20000 0x01cdffff Memory Mapped File rw False False False -
private_0x0000000001d00000 0x01d00000 0x01d7ffff Private Memory rw True False False -
private_0x0000000001de0000 0x01de0000 0x01e5ffff Private Memory rw True False False -
sortdefault.nls 0x01e60000 0x0212efff Memory Mapped File r False False False -
private_0x00000000022f0000 0x022f0000 0x0236ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #465: taskkill.exe
0 0
»
Information Value
ID #465
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:36, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:14
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd90
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D94
0x E1C
0x E58
0x E6C
0x E70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
pagefile_0x0000000000370000 0x00370000 0x004f7fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000500000 0x00500000 0x00680fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000690000 0x00690000 0x01a8ffff Pagefile Backed Memory r True False False -
taskkill.exe.mui 0x01a90000 0x01a93fff Memory Mapped File rw False False False -
private_0x0000000001aa0000 0x01aa0000 0x01aa0fff Private Memory rw True False False -
private_0x0000000001ab0000 0x01ab0000 0x01ab0fff Private Memory rw True False False -
pagefile_0x0000000001ac0000 0x01ac0000 0x01ac0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001ad0000 0x01ad0000 0x01ad0fff Pagefile Backed Memory r True False False -
private_0x0000000001b30000 0x01b30000 0x01baffff Private Memory rw True False False -
kernelbase.dll.mui 0x01bb0000 0x01c6ffff Memory Mapped File rw False False False -
private_0x0000000001d10000 0x01d10000 0x01d8ffff Private Memory rw True False False -
private_0x0000000001e60000 0x01e60000 0x01edffff Private Memory rw True False False -
sortdefault.nls 0x01ee0000 0x021aefff Memory Mapped File r False False False -
private_0x00000000021e0000 0x021e0000 0x0225ffff Private Memory rw True False False -
private_0x0000000002290000 0x02290000 0x0230ffff Private Memory rw True False False -
private_0x0000000002420000 0x02420000 0x0249ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #466: taskkill.exe
0 0
»
Information Value
ID #466
File Name c:\windows\system32\taskkill.exe
Command Line "C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:37, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:13
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xddc
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DE0
0x E88
0x EB4
0x EB8
0x EBC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c6fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
pagefile_0x0000000000250000 0x00250000 0x00251fff Pagefile Backed Memory rw True False False -
taskkill.exe.mui 0x00260000 0x00263fff Memory Mapped File rw False False False -
private_0x0000000000270000 0x00270000 0x00270fff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
kernelbase.dll.mui 0x00290000 0x0034ffff Memory Mapped File rw False False False -
pagefile_0x0000000000350000 0x00350000 0x00350fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000360000 0x00360000 0x00360fff Pagefile Backed Memory r True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
pagefile_0x00000000004a0000 0x004a0000 0x00627fff Pagefile Backed Memory r True False False -
private_0x0000000000660000 0x00660000 0x0066ffff Private Memory rw True False False -
pagefile_0x0000000000670000 0x00670000 0x007f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000800000 0x00800000 0x01bfffff Pagefile Backed Memory r True False False -
private_0x0000000001ce0000 0x01ce0000 0x01d5ffff Private Memory rw True False False -
private_0x0000000001dc0000 0x01dc0000 0x01e3ffff Private Memory rw True False False -
private_0x0000000001f90000 0x01f90000 0x0200ffff Private Memory rw True False False -
sortdefault.nls 0x02010000 0x022defff Memory Mapped File r False False False -
private_0x0000000002370000 0x02370000 0x023effff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskkill.exe 0xff7c0000 0xff7defff Memory Mapped File rwx False False False -
dbghelp.dll 0x7fef50f0000 0x7fef5214fff Memory Mapped File rwx False False False -
framedynos.dll 0x7fef5220000 0x7fef526bfff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef8b70000 0x7fef8b7efff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef9140000 0x7fef91c5fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefcaa0000 0x7fefcaaafff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #467: net.exe
0 0
»
Information Value
ID #467
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:37, Reason: Child Process
Unmonitor End Time: 00:03:38, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe08
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E0C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0045ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0055ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #468: net.exe
0 0
»
Information Value
ID #468
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:37, Reason: Child Process
Unmonitor End Time: 00:03:39, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe30
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0054ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #469: net.exe
0 0
»
Information Value
ID #469
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Agent" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:38, Reason: Child Process
Unmonitor End Time: 00:03:39, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe74
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E78
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000a0000 0x000a0000 0x000affff Private Memory rw True False False -
private_0x00000000000b0000 0x000b0000 0x001affff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
locale.nls 0x00250000 0x002b6fff Memory Mapped File r False False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #470: net1.exe
17 0
»
Information Value
ID #470
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Enterprise Client Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:38, Reason: Child Process
Unmonitor End Time: 00:03:38, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xe8c
Parent PID 0xe30 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E90
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff470000 0xff4a2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff470000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:28 (UTC) True 1
Fn
Get Time type = Ticks, time = 43539 True 1
Fn
Process #471: net1.exe
17 0
»
Information Value
ID #471
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:38, Reason: Child Process
Unmonitor End Time: 00:03:38, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xe94
Parent PID 0xe08 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E98
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff470000 0xff4a2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff470000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:28 (UTC) True 1
Fn
Get Time type = Ticks, time = 43586 True 1
Fn
Process #472: net.exe
0 0
»
Information Value
ID #472
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:38, Reason: Child Process
Unmonitor End Time: 00:03:40, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xea4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EA8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #473: net.exe
0 0
»
Information Value
ID #473
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:38, Reason: Child Process
Unmonitor End Time: 00:03:39, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xecc
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x ED0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #474: net.exe
0 0
»
Information Value
ID #474
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:38, Reason: Child Process
Unmonitor End Time: 00:03:40, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xee4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EE8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #475: net1.exe
17 0
»
Information Value
ID #475
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Agent" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:38, Reason: Child Process
Unmonitor End Time: 00:03:39, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xef8
Parent PID 0xe74 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EFC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff810000 0xff842fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff810000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:29 (UTC) True 1
Fn
Get Time type = Ticks, time = 44101 True 1
Fn
Process #476: net.exe
0 0
»
Information Value
ID #476
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:38, Reason: Child Process
Unmonitor End Time: 00:03:41, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf08
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F0C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #477: net.exe
0 0
»
Information Value
ID #477
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:39, Reason: Child Process
Unmonitor End Time: 00:03:43, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf28
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F2C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #478: net1.exe
17 0
»
Information Value
ID #478
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:39, Reason: Child Process
Unmonitor End Time: 00:03:40, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf30
Parent PID 0xea4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x0000000000500000 0x00500000 0x0050ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffc70000 0xffca2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffc70000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:29 (UTC) True 1
Fn
Get Time type = Ticks, time = 44491 True 1
Fn
Process #479: net1.exe
17 0
»
Information Value
ID #479
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Clean Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:39, Reason: Child Process
Unmonitor End Time: 00:03:40, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf38
Parent PID 0xecc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F3C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory rw True False False -
locale.nls 0x00170000 0x001d6fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffc70000 0xffca2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffc70000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:29 (UTC) True 1
Fn
Get Time type = Ticks, time = 44413 True 1
Fn
Process #480: net.exe
0 0
»
Information Value
ID #480
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:39, Reason: Child Process
Unmonitor End Time: 00:03:42, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf54
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #481: net1.exe
17 0
»
Information Value
ID #481
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:39, Reason: Child Process
Unmonitor End Time: 00:03:40, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf6c
Parent PID 0xee4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe80000 0xffeb2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:29 (UTC) True 1
Fn
Get Time type = Ticks, time = 44897 True 1
Fn
Process #482: net.exe
0 0
»
Information Value
ID #482
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:39, Reason: Child Process
Unmonitor End Time: 00:03:45, Reason: Self Terminated
Monitor Duration 00:00:06
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf7c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F80
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #483: net.exe
0 0
»
Information Value
ID #483
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:39, Reason: Child Process
Unmonitor End Time: 00:03:49, Reason: Self Terminated
Monitor Duration 00:00:10
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf90
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F94
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0021ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
browcli.dll 0x7feface0000 0x7fefacf1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #484: net1.exe
17 0
»
Information Value
ID #484
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:40, Reason: Child Process
Unmonitor End Time: 00:03:41, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfa0
Parent PID 0xf08 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FA4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x00000000005f0000 0x005f0000 0x005fffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff670000 0xff6a2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff670000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:30 (UTC) True 1
Fn
Get Time type = Ticks, time = 45255 True 1
Fn
Process #485: net1.exe
17 0
»
Information Value
ID #485
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:40, Reason: Child Process
Unmonitor End Time: 00:03:40, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xfa8
Parent PID 0xf54 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FAC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
locale.nls 0x00160000 0x001c6fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff670000 0xff6a2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff670000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:30 (UTC) True 1
Fn
Get Time type = Ticks, time = 45365 True 1
Fn
Process #486: net1.exe
17 0
»
Information Value
ID #486
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Health Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:40, Reason: Child Process
Unmonitor End Time: 00:03:41, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfc0
Parent PID 0xf28 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FC4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
private_0x0000000000660000 0x00660000 0x0066ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff670000 0xff6a2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff670000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:30 (UTC) True 1
Fn
Get Time type = Ticks, time = 45708 True 1
Fn
Process #487: net.exe
0 0
»
Information Value
ID #487
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:40, Reason: Child Process
Unmonitor End Time: 00:03:49, Reason: Self Terminated
Monitor Duration 00:00:09
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfcc
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FD0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #488: net1.exe
17 0
»
Information Value
ID #488
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos MCS Client" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:40, Reason: Child Process
Unmonitor End Time: 00:03:44, Reason: Self Terminated
Monitor Duration 00:00:04
OS Process Information
»
Information Value
PID 0xff8
Parent PID 0xf7c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FFC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x0030ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff7a0000 0xff7d2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff7a0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:31 (UTC) True 1
Fn
Get Time type = Ticks, time = 46862 True 1
Fn
Process #489: net.exe
0 0
»
Information Value
ID #489
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:47, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xeb0
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000500000 0x00500000 0x0050ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #490: net1.exe
17 0
»
Information Value
ID #490
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:47, Reason: Child Process
Unmonitor End Time: 00:03:48, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe30
Parent PID 0xfcc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E68
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff4a0000 0xff4d2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7feface0000 0x7fefacf1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff4a0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:37 (UTC) True 1
Fn
Get Time type = Ticks, time = 52790 True 1
Fn
Process #491: net1.exe
17 0
»
Information Value
ID #491
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Message Router" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:47, Reason: Child Process
Unmonitor End Time: 00:03:48, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe44
Parent PID 0xf90 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0005ffff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
locale.nls 0x00190000 0x001f6fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff4a0000 0xff4d2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7feface0000 0x7fefacf1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff4a0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:37 (UTC) True 1
Fn
Get Time type = Ticks, time = 52993 True 1
Fn
Process #492: net.exe
0 0
»
Information Value
ID #492
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:47, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe54
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E28
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #493: net.exe
0 0
»
Information Value
ID #493
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:48, Reason: Child Process
Unmonitor End Time: 00:03:51, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xefc
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EF8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000120000 0x00120000 0x0021ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #494: net.exe
0 0
»
Information Value
ID #494
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:48, Reason: Child Process
Unmonitor End Time: 00:03:51, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xee0
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E78
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #495: net1.exe
17 0
»
Information Value
ID #495
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:48, Reason: Child Process
Unmonitor End Time: 00:03:49, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf38
Parent PID 0xeb0 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E74
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000530000 0x00530000 0x0053ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff080000 0xff0b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff080000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:38 (UTC) True 1
Fn
Get Time type = Ticks, time = 53383 True 1
Fn
Process #496: net1.exe
17 0
»
Information Value
ID #496
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:48, Reason: Child Process
Unmonitor End Time: 00:03:49, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf34
Parent PID 0xe54 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000120000 0x00120000 0x0021ffff Private Memory rw True False False -
locale.nls 0x00220000 0x00286fff Memory Mapped File r False False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff080000 0xff0b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff080000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:38 (UTC) True 1
Fn
Get Time type = Ticks, time = 53945 True 1
Fn
Process #497: net.exe
0 0
»
Information Value
ID #497
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:48, Reason: Child Process
Unmonitor End Time: 00:03:51, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfd8
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8D8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
browcli.dll 0x7feface0000 0x7fefacf1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #498: net1.exe
17 0
»
Information Value
ID #498
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:49, Reason: Child Process
Unmonitor End Time: 00:03:51, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xfe4
Parent PID 0xefc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 610
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x00000000005e0000 0x005e0000 0x005effff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd00000 0xffd32fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:39 (UTC) True 1
Fn
Get Time type = Ticks, time = 54397 True 1
Fn
Process #499: net1.exe
17 0
»
Information Value
ID #499
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:50, Reason: Child Process
Unmonitor End Time: 00:03:51, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfec
Parent PID 0xee0 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 6D4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd00000 0xffd32fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:40 (UTC) True 1
Fn
Get Time type = Ticks, time = 55473 True 1
Fn
Process #500: net.exe
0 0
»
Information Value
ID #500
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:50, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x504
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FF0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #501: net1.exe
17 0
»
Information Value
ID #501
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Symantec System Recovery" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:50, Reason: Child Process
Unmonitor End Time: 00:03:51, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x9d4
Parent PID 0xfd8 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FA8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff440000 0xff472fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7feface0000 0x7fefacf1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff440000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:40 (UTC) True 1
Fn
Get Time type = Ticks, time = 55817 True 1
Fn
Process #502: net.exe
0 0
»
Information Value
ID #502
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop AcronisAgent /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:50, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf48
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FC4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
private_0x0000000000520000 0x00520000 0x0052ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
browcli.dll 0x7feface0000 0x7fefacf1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #503: net.exe
0 0
»
Information Value
ID #503
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop AcrSch2Svc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:50, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8ac
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 804
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #504: net1.exe
17 0
»
Information Value
ID #504
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:50, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xc30
Parent PID 0x504 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A28
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x000fffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffac0000 0xffaf2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffac0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:40 (UTC) True 1
Fn
Get Time type = Ticks, time = 56035 True 1
Fn
Process #505: net.exe
0 0
»
Information Value
ID #505
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop Antivirus /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:51, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa00
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A04
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0017ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #506: net1.exe
17 0
»
Information Value
ID #506
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop AcronisAgent /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:51, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x860
Parent PID 0xf48 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C98
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0053ffff Private Memory rw True False False -
private_0x0000000000730000 0x00730000 0x0073ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe90000 0xffec2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7feface0000 0x7fefacf1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe90000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 56300 True 1
Fn
Process #507: net1.exe
17 0
»
Information Value
ID #507
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop AcrSch2Svc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:51, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x354
Parent PID 0x8ac (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7A4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000cffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe90000 0xffec2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7feface0000 0x7fefacf1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe90000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 56316 True 1
Fn
Process #508: net.exe
0 0
»
Information Value
ID #508
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ARSM /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:51, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9c8
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9CC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #509: net.exe
0 0
»
Information Value
ID #509
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:51, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x178
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 830
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #510: net1.exe
17 0
»
Information Value
ID #510
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop Antivirus /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:51, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf58
Parent PID 0xa00 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 960
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffbe0000 0xffc12fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffbe0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 56737 True 1
Fn
Process #511: net.exe
0 0
»
Information Value
ID #511
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:51, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x998
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9B0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #512: net.exe
0 0
»
Information Value
ID #512
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:51, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x844
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9E0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #513: net1.exe
17 0
»
Information Value
ID #513
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:51, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x730
Parent PID 0x178 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 78C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff670000 0xff6a2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff670000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 57049 True 1
Fn
Process #514: net.exe
0 0
»
Information Value
ID #514
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:51, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x528
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 894
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #515: net1.exe
17 0
»
Information Value
ID #515
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ARSM /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:51, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x128
Parent PID 0x9c8 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 13C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000120000 0x00120000 0x0021ffff Private Memory rw True False False -
locale.nls 0x00220000 0x00286fff Memory Mapped File r False False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff670000 0xff6a2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff670000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:42 (UTC) True 1
Fn
Get Time type = Ticks, time = 57143 True 1
Fn
Process #516: net.exe
0 0
»
Information Value
ID #516
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecManagementService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:52, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x81c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8E0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #517: net1.exe
17 0
»
Information Value
ID #517
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:52, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x728
Parent PID 0x998 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 784
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0017ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
private_0x0000000000300000 0x00300000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe60000 0xffe92fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:42 (UTC) True 1
Fn
Get Time type = Ticks, time = 57423 True 1
Fn
Process #518: net1.exe
17 0
»
Information Value
ID #518
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:52, Reason: Child Process
Unmonitor End Time: 00:03:52, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x69c
Parent PID 0x844 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 76C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x0015ffff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe60000 0xffe92fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:42 (UTC) True 1
Fn
Get Time type = Ticks, time = 57392 True 1
Fn
Process #519: net.exe
0 0
»
Information Value
ID #519
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecRPCService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:52, Reason: Child Process
Unmonitor End Time: 00:03:54, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x84c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 758
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #520: net.exe
0 0
»
Information Value
ID #520
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:52, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x97c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 954
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #521: net.exe
0 0
»
Information Value
ID #521
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop bedbg /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:52, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf28
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #522: net1.exe
17 0
»
Information Value
ID #522
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecJobEngine /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:52, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x904
Parent PID 0x528 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9A0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x002fffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffbf0000 0xffc22fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffbf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:42 (UTC) True 1
Fn
Get Time type = Ticks, time = 57813 True 1
Fn
Process #523: net.exe
0 0
»
Information Value
ID #523
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop DCAgent /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:52, Reason: Child Process
Unmonitor End Time: 00:03:54, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8b8
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 350
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #524: net1.exe
17 0
»
Information Value
ID #524
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecManagementService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:52, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x87c
Parent PID 0x81c (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8A8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x0000000000550000 0x00550000 0x0055ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffde0000 0xffe12fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffde0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:42 (UTC) True 1
Fn
Get Time type = Ticks, time = 58047 True 1
Fn
Process #525: net.exe
0 0
»
Information Value
ID #525
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop EPSecurityService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:52, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x780
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 348
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #526: net1.exe
17 0
»
Information Value
ID #526
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecRPCService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:53, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x530
Parent PID 0x84c (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 980
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
private_0x00000000004f0000 0x004f0000 0x004fffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfffc0000 0xffff2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfffc0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 58422 True 1
Fn
Process #527: net1.exe
17 0
»
Information Value
ID #527
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop BackupExecVSSProvider /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:53, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x9ac
Parent PID 0x97c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 870
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0054ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfffc0000 0xffff2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfffc0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 58437 True 1
Fn
Process #528: net1.exe
17 0
»
Information Value
ID #528
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop bedbg /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:53, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xff8
Parent PID 0xf28 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8CC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0006ffff Private Memory rw True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfffc0000 0xffff2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfffc0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 58297 True 1
Fn
Process #529: net1.exe
17 0
»
Information Value
ID #529
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop DCAgent /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:53, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x1dc
Parent PID 0x8b8 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 898
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfffc0000 0xffff2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfffc0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 58437 True 1
Fn
Process #530: net.exe
0 0
»
Information Value
ID #530
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop EPUpdateService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:53, Reason: Child Process
Unmonitor End Time: 00:03:55, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x138
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7D8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #531: net.exe
0 0
»
Information Value
ID #531
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop EraserSvc11710 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:53, Reason: Child Process
Unmonitor End Time: 00:03:54, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf54
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F9C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
browcli.dll 0x7feface0000 0x7fefacf1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #532: net1.exe
17 0
»
Information Value
ID #532
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop EPSecurityService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:53, Reason: Child Process
Unmonitor End Time: 00:03:53, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xfb0
Parent PID 0x780 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BB8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
private_0x0000000000550000 0x00550000 0x0055ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff050000 0xff082fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff050000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 58765 True 1
Fn
Process #533: net.exe
0 0
»
Information Value
ID #533
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop EsgShKernel /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:53, Reason: Child Process
Unmonitor End Time: 00:03:54, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb28
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 334
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #534: net.exe
0 0
»
Information Value
ID #534
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop FA_Scheduler /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:53, Reason: Child Process
Unmonitor End Time: 00:03:55, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x738
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 220
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #535: net1.exe
17 0
»
Information Value
ID #535
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop EraserSvc11710 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:53, Reason: Child Process
Unmonitor End Time: 00:03:54, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x910
Parent PID 0xf54 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 888
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0034ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffed0000 0xfff02fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7feface0000 0x7fefacf1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffed0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 58999 True 1
Fn
Process #536: net1.exe
17 0
»
Information Value
ID #536
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop EPUpdateService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:53, Reason: Child Process
Unmonitor End Time: 00:03:54, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x8a0
Parent PID 0x138 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 86C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffed0000 0xfff02fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7feface0000 0x7fefacf1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffed0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:44 (UTC) True 1
Fn
Get Time type = Ticks, time = 59139 True 1
Fn
Process #537: net.exe
0 0
»
Information Value
ID #537
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop IISAdmin /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:54, Reason: Child Process
Unmonitor End Time: 00:03:56, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x880
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #538: net.exe
0 0
»
Information Value
ID #538
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop IMAP4Svc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:54, Reason: Child Process
Unmonitor End Time: 00:03:55, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x708
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #539: net1.exe
17 0
»
Information Value
ID #539
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop EsgShKernel /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:54, Reason: Child Process
Unmonitor End Time: 00:03:54, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xe7c
Parent PID 0xb28 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E44
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffbb0000 0xffbe2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7feface0000 0x7fefacf1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffbb0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:44 (UTC) True 1
Fn
Get Time type = Ticks, time = 59342 True 1
Fn
Process #540: net1.exe
17 0
»
Information Value
ID #540
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop FA_Scheduler /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:54, Reason: Child Process
Unmonitor End Time: 00:03:54, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xe08
Parent PID 0x738 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffaf0000 0xffb22fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7feface0000 0x7fefacf1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffaf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:44 (UTC) True 1
Fn
Get Time type = Ticks, time = 59498 True 1
Fn
Process #541: net.exe
0 0
»
Information Value
ID #541
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop macmnsvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:54, Reason: Child Process
Unmonitor End Time: 00:03:56, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdf8
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F94
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #542: net.exe
0 0
»
Information Value
ID #542
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop masvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:54, Reason: Child Process
Unmonitor End Time: 00:03:56, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfd0
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FCC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #543: net1.exe
17 0
»
Information Value
ID #543
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop IMAP4Svc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:54, Reason: Child Process
Unmonitor End Time: 00:03:55, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xaa8
Parent PID 0x708 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F04
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
private_0x00000000006f0000 0x006f0000 0x006fffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd50000 0xffd82fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd50000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:44 (UTC) True 1
Fn
Get Time type = Ticks, time = 59873 True 1
Fn
Process #544: net.exe
0 0
»
Information Value
ID #544
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MBAMService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:54, Reason: Child Process
Unmonitor End Time: 00:03:56, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe74
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F38
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #545: net1.exe
17 0
»
Information Value
ID #545
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop IISAdmin /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:54, Reason: Child Process
Unmonitor End Time: 00:03:55, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xed8
Parent PID 0x880 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A9C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd50000 0xffd82fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd50000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:44 (UTC) True 1
Fn
Get Time type = Ticks, time = 59997 True 1
Fn
Process #546: net.exe
0 0
»
Information Value
ID #546
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MBEndpointAgent /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:54, Reason: Child Process
Unmonitor End Time: 00:03:56, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd58
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x0015ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
browcli.dll 0x7feface0000 0x7fefacf1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #547: net1.exe
17 0
»
Information Value
ID #547
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop macmnsvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:54, Reason: Child Process
Unmonitor End Time: 00:03:55, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe60
Parent PID 0xdf8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F14
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
locale.nls 0x001d0000 0x00236fff Memory Mapped File r False False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0034ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd50000 0xffd82fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd50000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:45 (UTC) True 1
Fn
Get Time type = Ticks, time = 60138 True 1
Fn
Process #548: net.exe
0 0
»
Information Value
ID #548
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop McAfeeEngineService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:55, Reason: Child Process
Unmonitor End Time: 00:03:56, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x15c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EA4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #549: net1.exe
17 0
»
Information Value
ID #549
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop masvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:55, Reason: Child Process
Unmonitor End Time: 00:03:55, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xd60
Parent PID 0xfd0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EC8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
private_0x0000000000500000 0x00500000 0x0050ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd50000 0xffd82fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd50000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:45 (UTC) True 1
Fn
Get Time type = Ticks, time = 60263 True 1
Fn
Process #550: net.exe
0 0
»
Information Value
ID #550
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop McAfeeFramework /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:55, Reason: Child Process
Unmonitor End Time: 00:03:56, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xeac
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 6D0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #551: net1.exe
17 0
»
Information Value
ID #551
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MBAMService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:55, Reason: Child Process
Unmonitor End Time: 00:03:55, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xf6c
Parent PID 0xe74 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
private_0x0000000000580000 0x00580000 0x0058ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff040000 0xff072fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5a50000 0x7fef5a61fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff040000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:45 (UTC) True 1
Fn
Get Time type = Ticks, time = 60481 True 1
Fn
Process #552: net.exe
0 0
»
Information Value
ID #552
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:55, Reason: Child Process
Unmonitor End Time: 00:03:57, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb50
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #553: net.exe
0 0
»
Information Value
ID #553
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop McShield /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:55, Reason: Child Process
Unmonitor End Time: 00:03:56, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf24
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x001affff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #554: net1.exe
17 0
»
Information Value
ID #554
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MBEndpointAgent /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:55, Reason: Child Process
Unmonitor End Time: 00:03:56, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xae0
Parent PID 0xd58 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AE4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x0000000000570000 0x00570000 0x0057ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff270000 0xff2a2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7feface0000 0x7fefacf1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff270000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:45 (UTC) True 1
Fn
Get Time type = Ticks, time = 60793 True 1
Fn
Process #555: net.exe
0 0
»
Information Value
ID #555
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop McTaskManager /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:55, Reason: Child Process
Unmonitor End Time: 00:03:57, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb48
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x003bffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #556: net1.exe
17 0
»
Information Value
ID #556
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop McAfeeEngineService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:55, Reason: Child Process
Unmonitor End Time: 00:03:56, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfa4
Parent PID 0x15c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BA4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0056ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff270000 0xff2a2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7feface0000 0x7fefacf1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff270000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:45 (UTC) True 1
Fn
Get Time type = Ticks, time = 60933 True 1
Fn
Process #557: net1.exe
17 0
»
Information Value
ID #557
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop McAfeeFramework /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:55, Reason: Child Process
Unmonitor End Time: 00:03:57, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xd44
Parent PID 0xeac (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
private_0x0000000000500000 0x00500000 0x0050ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff270000 0xff2a2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7feface0000 0x7fefacf1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff270000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:45 (UTC) True 1
Fn
Get Time type = Ticks, time = 61043 True 1
Fn
Process #558: net1.exe
17 0
»
Information Value
ID #558
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:55, Reason: Child Process
Unmonitor End Time: 00:03:57, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xfac
Parent PID 0xb50 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BAC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff270000 0xff2a2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7feface0000 0x7fefacf1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff270000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:46 (UTC) True 1
Fn
Get Time type = Ticks, time = 61089 True 1
Fn
Process #559: net.exe
0 0
»
Information Value
ID #559
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop mfemms /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:55, Reason: Child Process
Unmonitor End Time: 00:03:57, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9a8
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 974
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #560: net1.exe
17 0
»
Information Value
ID #560
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop McShield /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:56, Reason: Child Process
Unmonitor End Time: 00:03:56, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x9f0
Parent PID 0xf24 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B90
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x0000000000490000 0x00490000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffac0000 0xffaf2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7feface0000 0x7fefacf1fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffac0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:46 (UTC) True 1
Fn
Get Time type = Ticks, time = 61620 True 1
Fn
Process #561: net.exe
0 0
»
Information Value
ID #561
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop mfevtp /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:56, Reason: Child Process
Unmonitor End Time: 00:03:57, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x874
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7E8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #562: net.exe
0 0
»
Information Value
ID #562
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MMS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:56, Reason: Child Process
Unmonitor End Time: 00:03:58, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd94
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 42C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #563: net1.exe
17 0
»
Information Value
ID #563
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop McTaskManager /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:56, Reason: Child Process
Unmonitor End Time: 00:03:57, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xeb8
Parent PID 0xb48 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EBC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
locale.nls 0x001f0000 0x00256fff Memory Mapped File r False False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff890000 0xff8c2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff890000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:46 (UTC) True 1
Fn
Get Time type = Ticks, time = 61994 True 1
Fn
Process #564: net1.exe
17 0
»
Information Value
ID #564
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop mfevtp /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:56, Reason: Child Process
Unmonitor End Time: 00:03:57, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe84
Parent PID 0x874 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff890000 0xff8c2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff890000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:46 (UTC) True 1
Fn
Get Time type = Ticks, time = 62025 True 1
Fn
Process #565: net.exe
0 0
»
Information Value
ID #565
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop mozyprobackup /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:56, Reason: Child Process
Unmonitor End Time: 00:03:58, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf3c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E0C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #566: net1.exe
17 0
»
Information Value
ID #566
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop mfemms /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:57, Reason: Child Process
Unmonitor End Time: 00:03:57, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xa34
Parent PID 0x9a8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x0000000000290000 0x00290000 0x0029ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff890000 0xff8c2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff890000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:47 (UTC) True 1
Fn
Get Time type = Ticks, time = 62213 True 1
Fn
Process #567: net1.exe
17 0
»
Information Value
ID #567
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MMS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:57, Reason: Child Process
Unmonitor End Time: 00:03:57, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xcc4
Parent PID 0xd94 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000005c0000 0x005c0000 0x005cffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff890000 0xff8c2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff890000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:47 (UTC) True 1
Fn
Get Time type = Ticks, time = 62322 True 1
Fn
Process #568: net.exe
0 0
»
Information Value
ID #568
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MsDtsServer /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:57, Reason: Child Process
Unmonitor End Time: 00:03:58, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xda4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #569: net.exe
0 0
»
Information Value
ID #569
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MsDtsServer100 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:57, Reason: Child Process
Unmonitor End Time: 00:03:58, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf50
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D28
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x003fffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #570: net.exe
0 0
»
Information Value
ID #570
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MsDtsServer110 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:57, Reason: Child Process
Unmonitor End Time: 00:03:58, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x908
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 914
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0057ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #571: net.exe
0 0
»
Information Value
ID #571
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeES /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:57, Reason: Child Process
Unmonitor End Time: 00:03:58, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd70
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A6C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #572: net1.exe
17 0
»
Information Value
ID #572
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MsDtsServer100 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:57, Reason: Child Process
Unmonitor End Time: 00:03:58, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xab0
Parent PID 0xf50 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 970
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
private_0x00000000005a0000 0x005a0000 0x005affff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff550000 0xff582fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff550000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:47 (UTC) True 1
Fn
Get Time type = Ticks, time = 62977 True 1
Fn
Process #573: net1.exe
17 0
»
Information Value
ID #573
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop mozyprobackup /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:57, Reason: Child Process
Unmonitor End Time: 00:03:58, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x8c4
Parent PID 0xf3c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8E8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0056ffff Private Memory rw True False False -
private_0x0000000000760000 0x00760000 0x0076ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff550000 0xff582fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff550000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:47 (UTC) True 1
Fn
Get Time type = Ticks, time = 63008 True 1
Fn
Process #574: net1.exe
17 0
»
Information Value
ID #574
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MsDtsServer /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:57, Reason: Child Process
Unmonitor End Time: 00:03:57, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xb6c
Parent PID 0xda4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CE8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
locale.nls 0x00240000 0x002a6fff Memory Mapped File r False False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff550000 0xff582fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff550000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:47 (UTC) True 1
Fn
Get Time type = Ticks, time = 62852 True 1
Fn
Process #575: net.exe
0 0
»
Information Value
ID #575
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeIS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:57, Reason: Child Process
Unmonitor End Time: 00:03:58, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc04
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C3C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
private_0x0000000000560000 0x00560000 0x0056ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #576: net.exe
0 0
»
Information Value
ID #576
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:58, Reason: Child Process
Unmonitor End Time: 00:03:59, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa78
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BDC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #577: net1.exe
17 0
»
Information Value
ID #577
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeES /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:58, Reason: Child Process
Unmonitor End Time: 00:03:58, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xb34
Parent PID 0xd70 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9DC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd80000 0xffdb2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 63367 True 1
Fn
Process #578: net1.exe
17 0
»
Information Value
ID #578
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MsDtsServer110 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:58, Reason: Child Process
Unmonitor End Time: 00:03:58, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xd9c
Parent PID 0x908 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
private_0x0000000000500000 0x00500000 0x0050ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd80000 0xffdb2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 63305 True 1
Fn
Process #579: net.exe
0 0
»
Information Value
ID #579
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeMTA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:58, Reason: Child Process
Unmonitor End Time: 00:03:59, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbd4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C38
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #580: net.exe
0 0
»
Information Value
ID #580
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeSA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:58, Reason: Child Process
Unmonitor End Time: 00:03:59, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb0c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A14
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #581: net1.exe
17 0
»
Information Value
ID #581
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeIS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:58, Reason: Child Process
Unmonitor End Time: 00:03:58, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xe14
Parent PID 0xc04 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D00
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
locale.nls 0x00160000 0x001c6fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe40000 0xffe72fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 63679 True 1
Fn
Process #582: net1.exe
17 0
»
Information Value
ID #582
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeMGMT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:58, Reason: Child Process
Unmonitor End Time: 00:03:59, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xb64
Parent PID 0xa78 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B94
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe40000 0xffe72fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 63773 True 1
Fn
Process #583: net.exe
0 0
»
Information Value
ID #583
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSExchangeSRS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:58, Reason: Child Process
Unmonitor End Time: 00:03:59, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc1c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #584: net.exe
0 0
»
Information Value
ID #584
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSOLAP$SQL_2008 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:58, Reason: Child Process
Unmonitor End Time: 00:04:00, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xaf4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CD8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
private_0x00000000005f0000 0x005f0000 0x005fffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #585: net1.exe
17 0
»
Information Value
ID #585
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeSRS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:58, Reason: Child Process
Unmonitor End Time: 00:04:00, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xdc4
Parent PID 0xc1c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9B8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0006ffff Private Memory rw True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff1c0000 0xff1f2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff1c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:49 (UTC) True 1
Fn
Get Time type = Ticks, time = 64210 True 1
Fn
Process #586: net1.exe
17 0
»
Information Value
ID #586
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeMTA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:59, Reason: Child Process
Unmonitor End Time: 00:03:59, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xbb4
Parent PID 0xbd4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C9C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x001affff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff1c0000 0xff1f2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff1c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:49 (UTC) True 1
Fn
Get Time type = Ticks, time = 64225 True 1
Fn
Process #587: net1.exe
17 0
»
Information Value
ID #587
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSExchangeSA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:59, Reason: Child Process
Unmonitor End Time: 00:04:00, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x8fc
Parent PID 0xb0c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BC4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff1c0000 0xff1f2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff1c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:49 (UTC) True 1
Fn
Get Time type = Ticks, time = 64147 True 1
Fn
Process #588: net.exe
0 0
»
Information Value
ID #588
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSOLAP$SYSTEM_BGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:59, Reason: Child Process
Unmonitor End Time: 00:04:00, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x808
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #589: net.exe
0 0
»
Information Value
ID #589
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSOLAP$TPS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:59, Reason: Child Process
Unmonitor End Time: 00:04:00, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9e4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #590: net1.exe
17 0
»
Information Value
ID #590
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:59, Reason: Child Process
Unmonitor End Time: 00:03:59, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xe04
Parent PID 0xaf4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D1C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffee0000 0xfff12fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffee0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:49 (UTC) True 1
Fn
Get Time type = Ticks, time = 64506 True 1
Fn
Process #591: net.exe
0 0
»
Information Value
ID #591
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSOLAP$TPSAMA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:59, Reason: Child Process
Unmonitor End Time: 00:04:01, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe88
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #592: net.exe
0 0
»
Information Value
ID #592
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$BKUPEXEC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:59, Reason: Child Process
Unmonitor End Time: 00:04:00, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe54
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EC0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #593: net1.exe
17 0
»
Information Value
ID #593
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:59, Reason: Child Process
Unmonitor End Time: 00:03:59, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xd38
Parent PID 0x808 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EC4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff780000 0xff7b2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff780000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:49 (UTC) True 1
Fn
Get Time type = Ticks, time = 64787 True 1
Fn
Process #594: net1.exe
17 0
»
Information Value
ID #594
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSOLAP$TPS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:59, Reason: Child Process
Unmonitor End Time: 00:03:59, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xddc
Parent PID 0x9e4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E64
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
private_0x00000000005e0000 0x005e0000 0x005effff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff780000 0xff7b2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff780000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:49 (UTC) True 1
Fn
Get Time type = Ticks, time = 64756 True 1
Fn
Process #595: net.exe
0 0
»
Information Value
ID #595
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$ECWDB2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:59, Reason: Child Process
Unmonitor End Time: 00:04:01, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc40
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CCC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
private_0x0000000000510000 0x00510000 0x0051ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #596: net.exe
0 0
»
Information Value
ID #596
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$PRACTICEMGT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:59, Reason: Child Process
Unmonitor End Time: 00:04:01, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb68
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BE4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #597: net1.exe
17 0
»
Information Value
ID #597
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:00, Reason: Child Process
Unmonitor End Time: 00:04:00, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x994
Parent PID 0xe88 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 884
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000120000 0x00120000 0x0021ffff Private Memory rw True False False -
locale.nls 0x00220000 0x00286fff Memory Mapped File r False False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff0b0000 0xff0e2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff0b0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 65239 True 1
Fn
Process #598: net1.exe
17 0
»
Information Value
ID #598
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:00, Reason: Child Process
Unmonitor End Time: 00:04:00, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xb00
Parent PID 0xe54 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B78
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000510000 0x00510000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff0b0000 0xff0e2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff0b0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 65270 True 1
Fn
Process #599: net.exe
0 0
»
Information Value
ID #599
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$PRACTTICEBGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:00, Reason: Child Process
Unmonitor End Time: 00:04:02, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa84
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CA4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #600: net1.exe
17 0
»
Information Value
ID #600
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:00, Reason: Child Process
Unmonitor End Time: 00:04:01, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x98c
Parent PID 0xc40 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9FC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff050000 0xff082fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff050000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 65567 True 1
Fn
Process #601: net.exe
0 0
»
Information Value
ID #601
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$PROFXENGAGEMENT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:00, Reason: Child Process
Unmonitor End Time: 00:04:02, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa10
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A88
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000120000 0x00120000 0x0021ffff Private Memory rw True False False -
locale.nls 0x00220000 0x00286fff Memory Mapped File r False False False -
private_0x0000000000320000 0x00320000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #602: net.exe
0 0
»
Information Value
ID #602
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SBSMONITORING /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:00, Reason: Child Process
Unmonitor End Time: 00:04:02, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc90
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x ECC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #603: net1.exe
17 0
»
Information Value
ID #603
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:00, Reason: Child Process
Unmonitor End Time: 00:04:01, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xef8
Parent PID 0xb68 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BBC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd40000 0xffd72fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 65832 True 1
Fn
Process #604: net1.exe
17 0
»
Information Value
ID #604
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:00, Reason: Child Process
Unmonitor End Time: 00:04:01, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x360
Parent PID 0xa84 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E9C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x000fffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd40000 0xffd72fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 65848 True 1
Fn
Process #605: net.exe
0 0
»
Information Value
ID #605
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SHAREPOINT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:00, Reason: Child Process
Unmonitor End Time: 00:04:02, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9d0
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8BC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #606: net.exe
0 0
»
Information Value
ID #606
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SQL_2008 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:00, Reason: Child Process
Unmonitor End Time: 00:04:02, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8d8
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A38
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #607: net1.exe
17 0
»
Information Value
ID #607
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:01, Reason: Child Process
Unmonitor End Time: 00:04:02, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xff0
Parent PID 0xa10 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F08
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff1e0000 0xff212fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff1e0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:51 (UTC) True 1
Fn
Get Time type = Ticks, time = 66206 True 1
Fn
Process #608: net.exe
0 0
»
Information Value
ID #608
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SYSTEM_BGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:01, Reason: Child Process
Unmonitor End Time: 00:04:03, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc5c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C98
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
private_0x00000000005e0000 0x005e0000 0x005effff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #609: net.exe
0 0
»
Information Value
ID #609
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$TPS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:01, Reason: Child Process
Unmonitor End Time: 00:04:02, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8c8
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 640
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #610: net1.exe
17 0
»
Information Value
ID #610
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:01, Reason: Child Process
Unmonitor End Time: 00:04:02, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x804
Parent PID 0xc90 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A2C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0036ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff360000 0xff392fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff360000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:51 (UTC) True 1
Fn
Get Time type = Ticks, time = 66503 True 1
Fn
Process #611: net1.exe
17 0
»
Information Value
ID #611
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:01, Reason: Child Process
Unmonitor End Time: 00:04:02, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x820
Parent PID 0x8d8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8E4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
private_0x0000000000610000 0x00610000 0x0061ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff360000 0xff392fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff360000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:51 (UTC) True 1
Fn
Get Time type = Ticks, time = 66518 True 1
Fn
Process #612: net1.exe
17 0
»
Information Value
ID #612
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:01, Reason: Child Process
Unmonitor End Time: 00:04:02, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x960
Parent PID 0x9d0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 634
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0017ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
private_0x0000000000300000 0x00300000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff360000 0xff392fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff360000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:51 (UTC) True 1
Fn
Get Time type = Ticks, time = 66472 True 1
Fn
Process #613: net.exe
0 0
»
Information Value
ID #613
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$TPSAMA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:01, Reason: Child Process
Unmonitor End Time: 00:04:02, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8b0
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 78C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #614: net.exe
0 0
»
Information Value
ID #614
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:01, Reason: Child Process
Unmonitor End Time: 00:04:02, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x92c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 91C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #615: net.exe
0 0
»
Information Value
ID #615
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2012 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:01, Reason: Child Process
Unmonitor End Time: 00:04:03, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9cc
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9C8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #616: net.exe
0 0
»
Information Value
ID #616
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:01, Reason: Child Process
Unmonitor End Time: 00:04:03, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x76c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8F8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #617: net1.exe
17 0
»
Information Value
ID #617
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:01, Reason: Child Process
Unmonitor End Time: 00:04:03, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x998
Parent PID 0xc5c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7E0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa50000 0xffa82fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa50000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:51 (UTC) True 1
Fn
Get Time type = Ticks, time = 67049 True 1
Fn
Process #618: net1.exe
17 0
»
Information Value
ID #618
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:02, Reason: Child Process
Unmonitor End Time: 00:04:02, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x9e0
Parent PID 0x92c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 6F4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0027ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa50000 0xffa82fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa50000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 67252 True 1
Fn
Process #619: net1.exe
17 0
»
Information Value
ID #619
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$TPS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:02, Reason: Child Process
Unmonitor End Time: 00:04:02, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xe2c
Parent PID 0x8c8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 704
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
locale.nls 0x00260000 0x002c6fff Memory Mapped File r False False False -
private_0x0000000000340000 0x00340000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa50000 0xffa82fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa50000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 67174 True 1
Fn
Process #620: net1.exe
17 0
»
Information Value
ID #620
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:02, Reason: Child Process
Unmonitor End Time: 00:04:03, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x6f0
Parent PID 0x8b0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 904
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
locale.nls 0x00150000 0x001b6fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa50000 0xffa82fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa50000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 67174 True 1
Fn
Process #621: net.exe
0 0
»
Information Value
ID #621
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:02, Reason: Child Process
Unmonitor End Time: 00:04:03, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x278
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 840
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #622: net.exe
0 0
»
Information Value
ID #622
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:02, Reason: Child Process
Unmonitor End Time: 00:04:04, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7e4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 34C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
private_0x00000000006d0000 0x006d0000 0x006dffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #623: net.exe
0 0
»
Information Value
ID #623
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:02, Reason: Child Process
Unmonitor End Time: 00:04:03, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x81c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 4D0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0009ffff Private Memory rw True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #624: net1.exe
17 0
»
Information Value
ID #624
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:02, Reason: Child Process
Unmonitor End Time: 00:04:03, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xffc
Parent PID 0x7e4 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0041ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffad0000 0xffb02fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffad0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 67751 True 1
Fn
Process #625: net1.exe
17 0
»
Information Value
ID #625
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:02, Reason: Child Process
Unmonitor End Time: 00:04:03, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x1dc
Parent PID 0x9cc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8F4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffad0000 0xffb02fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffad0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 67782 True 1
Fn
Process #626: net1.exe
17 0
»
Information Value
ID #626
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:02, Reason: Child Process
Unmonitor End Time: 00:04:03, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x350
Parent PID 0x76c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 980
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x0040ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0052ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffad0000 0xffb02fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffad0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 67844 True 1
Fn
Process #627: net1.exe
17 0
»
Information Value
ID #627
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:02, Reason: Child Process
Unmonitor End Time: 00:04:03, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x8b8
Parent PID 0x278 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 330
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000490000 0x00490000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffad0000 0xffb02fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffad0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 67969 True 1
Fn
Process #628: net.exe
0 0
»
Information Value
ID #628
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SQL_2008 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:02, Reason: Child Process
Unmonitor End Time: 00:04:04, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x870
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 82C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #629: net.exe
0 0
»
Information Value
ID #629
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:03, Reason: Child Process
Unmonitor End Time: 00:04:04, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x84c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #630: net1.exe
17 0
»
Information Value
ID #630
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:03, Reason: Child Process
Unmonitor End Time: 00:04:03, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x534
Parent PID 0x81c (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 97C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x00000000004b0000 0x004b0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff770000 0xff7a2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff770000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:53 (UTC) True 1
Fn
Get Time type = Ticks, time = 68250 True 1
Fn
Process #631: net.exe
0 0
»
Information Value
ID #631
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:03, Reason: Child Process
Unmonitor End Time: 00:04:05, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x828
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F2C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000004b0000 0x004b0000 0x004bffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #632: net.exe
0 0
»
Information Value
ID #632
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLFDLauncher$TPSAMA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:03, Reason: Child Process
Unmonitor End Time: 00:04:04, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x348
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 780
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #633: net1.exe
17 0
»
Information Value
ID #633
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:03, Reason: Child Process
Unmonitor End Time: 00:04:03, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x458
Parent PID 0x870 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 978
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x001fffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb30000 0xffb62fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb30000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:53 (UTC) True 1
Fn
Get Time type = Ticks, time = 68500 True 1
Fn
Process #634: net1.exe
17 0
»
Information Value
ID #634
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:03, Reason: Child Process
Unmonitor End Time: 00:04:03, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x234
Parent PID 0x84c (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8B4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
private_0x0000000000510000 0x00510000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb30000 0xffb62fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb30000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:53 (UTC) True 1
Fn
Get Time type = Ticks, time = 68515 True 1
Fn
Process #635: net.exe
0 0
»
Information Value
ID #635
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLSERVER /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:03, Reason: Child Process
Unmonitor End Time: 00:04:04, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8d0
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F9C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #636: net.exe
0 0
»
Information Value
ID #636
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLServerADHelper100 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:03, Reason: Child Process
Unmonitor End Time: 00:04:05, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x510
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8A0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #637: net1.exe
17 0
»
Information Value
ID #637
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:03, Reason: Child Process
Unmonitor End Time: 00:04:04, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x138
Parent PID 0x828 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F80
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff80000 0xfffb2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:53 (UTC) True 1
Fn
Get Time type = Ticks, time = 68905 True 1
Fn
Process #638: net.exe
0 0
»
Information Value
ID #638
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLServerOLAPService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:03, Reason: Child Process
Unmonitor End Time: 00:04:05, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbf4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x0000000000590000 0x00590000 0x0059ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #639: net1.exe
17 0
»
Information Value
ID #639
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:03, Reason: Child Process
Unmonitor End Time: 00:04:04, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe8c
Parent PID 0x348 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 31C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
locale.nls 0x00270000 0x002d6fff Memory Mapped File r False False False -
private_0x0000000000340000 0x00340000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff0b0000 0xff0e2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff0b0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 69311 True 1
Fn
Process #640: net1.exe
17 0
»
Information Value
ID #640
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLSERVER /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:03, Reason: Child Process
Unmonitor End Time: 00:04:04, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe08
Parent PID 0x8d0 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x001fffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff0b0000 0xff0e2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff0b0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 69186 True 1
Fn
Process #641: net1.exe
17 0
»
Information Value
ID #641
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:03, Reason: Child Process
Unmonitor End Time: 00:04:05, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xf90
Parent PID 0x510 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FBC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff0b0000 0xff0e2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff0b0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 69233 True 1
Fn
Process #642: net.exe
0 0
»
Information Value
ID #642
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MySQL80 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:04, Reason: Child Process
Unmonitor End Time: 00:04:05, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x964
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 900
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x0015ffff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #643: net.exe
0 0
»
Information Value
ID #643
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MySQL57 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:04, Reason: Child Process
Unmonitor End Time: 00:04:05, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x984
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B80
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #644: net1.exe
17 0
»
Information Value
ID #644
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MySQL80 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:04, Reason: Child Process
Unmonitor End Time: 00:04:04, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xa08
Parent PID 0x964 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CB0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
private_0x00000000005f0000 0x005f0000 0x005fffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffbc0000 0xffbf2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffbc0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 69545 True 1
Fn
Process #645: net.exe
0 0
»
Information Value
ID #645
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ntrtscan /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:04, Reason: Child Process
Unmonitor End Time: 00:04:05, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc78
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 988
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0055ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #646: net.exe
0 0
»
Information Value
ID #646
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop OracleClientCache80 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:04, Reason: Child Process
Unmonitor End Time: 00:04:05, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa8c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C2C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #647: net1.exe
17 0
»
Information Value
ID #647
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:04, Reason: Child Process
Unmonitor End Time: 00:04:04, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x9d4
Parent PID 0xbf4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FD8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff320000 0xff352fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff320000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 69794 True 1
Fn
Process #648: net1.exe
17 0
»
Information Value
ID #648
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MySQL57 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:04, Reason: Child Process
Unmonitor End Time: 00:04:05, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfe0
Parent PID 0x984 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C30
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
private_0x0000000000620000 0x00620000 0x0062ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff320000 0xff352fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff320000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:54 (UTC) True 1
Fn
Get Time type = Ticks, time = 69748 True 1
Fn
Process #649: net.exe
0 0
»
Information Value
ID #649
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop PDVFSService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:04, Reason: Child Process
Unmonitor End Time: 00:04:06, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xff4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 860
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000cffff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #650: net1.exe
17 0
»
Information Value
ID #650
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop OracleClientCache80 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:04, Reason: Child Process
Unmonitor End Time: 00:04:05, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x8ac
Parent PID 0xa8c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9E8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0036ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffdf0000 0xffe22fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffdf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:55 (UTC) True 1
Fn
Get Time type = Ticks, time = 70122 True 1
Fn
Process #651: net1.exe
17 0
»
Information Value
ID #651
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ntrtscan /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:04, Reason: Child Process
Unmonitor End Time: 00:04:05, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf58
Parent PID 0xc78 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A00
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0038ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0052ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffdf0000 0xffe22fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffdf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:55 (UTC) True 1
Fn
Get Time type = Ticks, time = 70122 True 1
Fn
Process #652: net.exe
0 0
»
Information Value
ID #652
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop POP3Svc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:05, Reason: Child Process
Unmonitor End Time: 00:04:05, Reason: Self Terminated
Monitor Duration 00:00:00
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x128
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8EC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #653: net.exe
0 0
»
Information Value
ID #653
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ReportServer /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:05, Reason: Child Process
Unmonitor End Time: 00:04:06, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf04
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CAC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0053ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #654: net.exe
0 0
»
Information Value
ID #654
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ReportServer$SQL_2008 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:05, Reason: Child Process
Unmonitor End Time: 00:04:07, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xed4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
private_0x0000000000690000 0x00690000 0x0069ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #655: net.exe
0 0
»
Information Value
ID #655
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ReportServer$SYSTEM_BGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:05, Reason: Child Process
Unmonitor End Time: 00:04:06, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe60
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D14
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #656: net1.exe
17 0
»
Information Value
ID #656
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop PDVFSService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:05, Reason: Child Process
Unmonitor End Time: 00:04:06, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xec8
Parent PID 0xff4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C0C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffaf0000 0xffb22fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffaf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:55 (UTC) True 1
Fn
Get Time type = Ticks, time = 70574 True 1
Fn
Process #657: net1.exe
17 0
»
Information Value
ID #657
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop POP3Svc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:05, Reason: Child Process
Unmonitor End Time: 00:04:05, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x918
Parent PID 0x128 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x001dffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffaf0000 0xffb22fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffaf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:55 (UTC) True 1
Fn
Get Time type = Ticks, time = 70590 True 1
Fn
Process #658: net1.exe
17 0
»
Information Value
ID #658
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ReportServer /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:05, Reason: Child Process
Unmonitor End Time: 00:04:06, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xef4
Parent PID 0xf04 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
locale.nls 0x00160000 0x001c6fff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0042ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffaf0000 0xffb22fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffaf0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:55 (UTC) True 1
Fn
Get Time type = Ticks, time = 70590 True 1
Fn
Process #659: net.exe
0 0
»
Information Value
ID #659
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ReportServer$TPS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:05, Reason: Child Process
Unmonitor End Time: 00:04:07, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb3c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F94
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #660: net.exe
0 0
»
Information Value
ID #660
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ReportServer$TPSAMA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:05, Reason: Child Process
Unmonitor End Time: 00:04:06, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x73c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FC8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
locale.nls 0x00270000 0x002d6fff Memory Mapped File r False False False -
private_0x0000000000380000 0x00380000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #661: net.exe
0 0
»
Information Value
ID #661
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop RESvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:05, Reason: Child Process
Unmonitor End Time: 00:04:08, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbec
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FD0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #662: net1.exe
17 0
»
Information Value
ID #662
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:05, Reason: Child Process
Unmonitor End Time: 00:04:06, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf10
Parent PID 0xed4 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F6C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
private_0x00000000005f0000 0x005f0000 0x005fffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff60000 0xfff92fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:56 (UTC) True 1
Fn
Get Time type = Ticks, time = 71058 True 1
Fn
Process #663: net1.exe
17 0
»
Information Value
ID #663
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:05, Reason: Child Process
Unmonitor End Time: 00:04:06, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xee4
Parent PID 0xe60 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
private_0x0000000000620000 0x00620000 0x0062ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff60000 0xfff92fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:56 (UTC) True 1
Fn
Get Time type = Ticks, time = 71058 True 1
Fn
Process #664: net1.exe
17 0
»
Information Value
ID #664
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ReportServer$TPS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:05, Reason: Child Process
Unmonitor End Time: 00:04:06, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf38
Parent PID 0xb3c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E74
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff60000 0xfff92fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:56 (UTC) True 1
Fn
Get Time type = Ticks, time = 71074 True 1
Fn
Process #665: net.exe
0 0
»
Information Value
ID #665
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop sacsvr /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:06, Reason: Child Process
Unmonitor End Time: 00:04:07, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc64
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AE4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #666: net.exe
0 0
»
Information Value
ID #666
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SamSs /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:06, Reason: Child Process
Unmonitor End Time: 00:04:07, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd80
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #667: net.exe
0 0
»
Information Value
ID #667
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SAVAdminService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:06, Reason: Child Process
Unmonitor End Time: 00:04:08, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfa4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EA8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0056ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #668: net1.exe
17 0
»
Information Value
ID #668
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:06, Reason: Child Process
Unmonitor End Time: 00:04:06, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xf00
Parent PID 0x73c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EA4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x0030ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9a0000 0xff9d2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9a0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:56 (UTC) True 1
Fn
Get Time type = Ticks, time = 71464 True 1
Fn
Process #669: net.exe
0 0
»
Information Value
ID #669
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SAVService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:06, Reason: Child Process
Unmonitor End Time: 00:04:07, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc48
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C08
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #670: net.exe
0 0
»
Information Value
ID #670
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SDRSVC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:06, Reason: Child Process
Unmonitor End Time: 00:04:07, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb50
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #671: net1.exe
17 0
»
Information Value
ID #671
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SAVAdminService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:06, Reason: Child Process
Unmonitor End Time: 00:04:08, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xb90
Parent PID 0xfa4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DC8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff0f0000 0xff122fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff0f0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:57 (UTC) True 1
Fn
Get Time type = Ticks, time = 72072 True 1
Fn
Process #672: net1.exe
17 0
»
Information Value
ID #672
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop RESvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:06, Reason: Child Process
Unmonitor End Time: 00:04:07, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xba8
Parent PID 0xbec (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
private_0x0000000000490000 0x00490000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff0f0000 0xff122fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff0f0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:56 (UTC) True 1
Fn
Get Time type = Ticks, time = 71916 True 1
Fn
Process #673: net1.exe
17 0
»
Information Value
ID #673
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop sacsvr /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:06, Reason: Child Process
Unmonitor End Time: 00:04:08, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xc60
Parent PID 0xc64 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F24
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff0f0000 0xff122fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff0f0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:56 (UTC) True 1
Fn
Get Time type = Ticks, time = 71947 True 1
Fn
Process #674: net1.exe
19 0
»
Information Value
ID #674
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SamSs /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:06, Reason: Child Process
Unmonitor End Time: 00:04:07, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe70
Parent PID 0xd80 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
locale.nls 0x00260000 0x002c6fff Memory Mapped File r False False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff0f0000 0xff122fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 71 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff0f0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (4)
»
Operation Additional Information Success Count Logfile
Get Info service_name = SAMSS True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:56 (UTC) True 1
Fn
Get Time type = Ticks, time = 71978 True 1
Fn
Process #675: net.exe
0 0
»
Information Value
ID #675
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SepMasterService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:06, Reason: Child Process
Unmonitor End Time: 00:04:09, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x928
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EBC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #676: net.exe
0 0
»
Information Value
ID #676
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ShMonitor /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:06, Reason: Child Process
Unmonitor End Time: 00:04:08, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe84
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #677: net1.exe
17 0
»
Information Value
ID #677
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SAVService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:07, Reason: Child Process
Unmonitor End Time: 00:04:07, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xe40
Parent PID 0xc48 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7E8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x002dffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffff0000 0x100022fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffff0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:57 (UTC) True 1
Fn
Get Time type = Ticks, time = 72290 True 1
Fn
Process #678: net.exe
0 0
»
Information Value
ID #678
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop Smcinst /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:07, Reason: Child Process
Unmonitor End Time: 00:04:08, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x874
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 924
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #679: net.exe
0 0
»
Information Value
ID #679
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SmcService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:07, Reason: Child Process
Unmonitor End Time: 00:04:08, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe1c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D94
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #680: net1.exe
20 0
»
Information Value
ID #680
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SDRSVC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:07, Reason: Child Process
Unmonitor End Time: 00:04:07, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xa24
Parent PID 0xb50 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FDC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0054ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff210000 0xff242fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 44 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff210000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = SDRSVC True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:57 (UTC) True 1
Fn
Get Time type = Ticks, time = 72587 True 1
Fn
Process #681: net.exe
0 0
»
Information Value
ID #681
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SMTPSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:07, Reason: Child Process
Unmonitor End Time: 00:04:09, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9a8
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 948
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #682: net1.exe
17 0
»
Information Value
ID #682
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ShMonitor /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:07, Reason: Child Process
Unmonitor End Time: 00:04:08, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xdb8
Parent PID 0xe84 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
private_0x0000000000660000 0x00660000 0x0066ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff150000 0xff182fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff150000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:57 (UTC) True 1
Fn
Get Time type = Ticks, time = 72930 True 1
Fn
Process #683: net.exe
0 0
»
Information Value
ID #683
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SNAC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:07, Reason: Child Process
Unmonitor End Time: 00:04:08, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xda4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C44
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
locale.nls 0x00270000 0x002d6fff Memory Mapped File r False False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #684: net1.exe
17 0
»
Information Value
ID #684
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SepMasterService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:07, Reason: Child Process
Unmonitor End Time: 00:04:09, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x970
Parent PID 0x928 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8E8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff150000 0xff182fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff150000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:58 (UTC) True 1
Fn
Get Time type = Ticks, time = 73070 True 1
Fn
Process #685: net1.exe
17 0
»
Information Value
ID #685
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop Smcinst /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:07, Reason: Child Process
Unmonitor End Time: 00:04:08, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xd28
Parent PID 0x874 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8C4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000590000 0x00590000 0x0059ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff150000 0xff182fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff150000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:58 (UTC) True 1
Fn
Get Time type = Ticks, time = 73195 True 1
Fn
Process #686: net1.exe
17 0
»
Information Value
ID #686
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SMTPSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:07, Reason: Child Process
Unmonitor End Time: 00:04:09, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xf50
Parent PID 0x9a8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff150000 0xff182fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff150000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:58 (UTC) True 1
Fn
Get Time type = Ticks, time = 73273 True 1
Fn
Process #687: net.exe
0 0
»
Information Value
ID #687
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SntpService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:08, Reason: Child Process
Unmonitor End Time: 00:04:08, Reason: Self Terminated
Monitor Duration 00:00:00
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdb4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DA0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #688: net1.exe
17 0
»
Information Value
ID #688
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SmcService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:08, Reason: Child Process
Unmonitor End Time: 00:04:09, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xd9c
Parent PID 0xe1c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9DC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x0022ffff Private Memory rw True False False -
locale.nls 0x00230000 0x00296fff Memory Mapped File r False False False -
private_0x0000000000360000 0x00360000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff150000 0xff182fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff150000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:58 (UTC) True 1
Fn
Get Time type = Ticks, time = 73476 True 1
Fn
Process #689: net.exe
0 0
»
Information Value
ID #689
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop sophossps /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:08, Reason: Child Process
Unmonitor End Time: 00:04:09, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbc8
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 914
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x003fffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #690: net1.exe
17 0
»
Information Value
ID #690
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SNAC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:08, Reason: Child Process
Unmonitor End Time: 00:04:08, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xb34
Parent PID 0xda4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BFC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0056ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff4b0000 0xff4e2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff4b0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:58 (UTC) True 1
Fn
Get Time type = Ticks, time = 73663 True 1
Fn
Process #691: net1.exe
17 0
»
Information Value
ID #691
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SntpService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:08, Reason: Child Process
Unmonitor End Time: 00:04:08, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xd70
Parent PID 0xdb4 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 520
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x0000000000520000 0x00520000 0x0052ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff4b0000 0xff4e2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff4b0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:58 (UTC) True 1
Fn
Get Time type = Ticks, time = 73850 True 1
Fn
Process #692: net.exe
0 0
»
Information Value
ID #692
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$BKUPEXEC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:08, Reason: Child Process
Unmonitor End Time: 00:04:09, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd0c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7D0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #693: net.exe
0 0
»
Information Value
ID #693
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$ECWDB2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:08, Reason: Child Process
Unmonitor End Time: 00:04:09, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcc8
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B64
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #694: net.exe
0 0
»
Information Value
ID #694
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEBGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:08, Reason: Child Process
Unmonitor End Time: 00:04:10, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xba0
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E14
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #695: net1.exe
17 0
»
Information Value
ID #695
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop sophossps /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:09, Reason: Child Process
Unmonitor End Time: 00:04:09, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xc3c
Parent PID 0xbc8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C04
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0017ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
locale.nls 0x00250000 0x002b6fff Memory Mapped File r False False False -
private_0x00000000003b0000 0x003b0000 0x003bffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff760000 0xff792fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff760000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:59 (UTC) True 1
Fn
Get Time type = Ticks, time = 74178 True 1
Fn
Process #696: net.exe
0 0
»
Information Value
ID #696
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$PRACTTICEMGT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:09, Reason: Child Process
Unmonitor End Time: 00:04:10, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb04
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BCC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #697: net1.exe
17 0
»
Information Value
ID #697
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:09, Reason: Child Process
Unmonitor End Time: 00:04:10, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc38
Parent PID 0xd0c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8FC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
private_0x00000000004e0000 0x004e0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffec0000 0xffef2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffec0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:59 (UTC) True 1
Fn
Get Time type = Ticks, time = 74443 True 1
Fn
Process #698: net1.exe
17 0
»
Information Value
ID #698
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:09, Reason: Child Process
Unmonitor End Time: 00:04:10, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xdc4
Parent PID 0xcc8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0031ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffec0000 0xffef2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffec0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:59 (UTC) True 1
Fn
Get Time type = Ticks, time = 74412 True 1
Fn
Process #699: net.exe
0 0
»
Information Value
ID #699
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$PROFXENGAGEMENT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:09, Reason: Child Process
Unmonitor End Time: 00:04:10, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcf0
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #700: net.exe
0 0
»
Information Value
ID #700
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SBSMONITORING /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:09, Reason: Child Process
Unmonitor End Time: 00:04:10, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb08
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #701: net1.exe
17 0
»
Information Value
ID #701
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:09, Reason: Child Process
Unmonitor End Time: 00:04:09, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xd68
Parent PID 0xb04 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D1C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000cffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe70000 0xffea2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe70000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:59 (UTC) True 1
Fn
Get Time type = Ticks, time = 74724 True 1
Fn
Process #702: net1.exe
17 0
»
Information Value
ID #702
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:09, Reason: Child Process
Unmonitor End Time: 00:04:10, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xdd4
Parent PID 0xba0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CD8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x001dffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff2c0000 0xff2f2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff2c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:42:59 (UTC) True 1
Fn
Get Time type = Ticks, time = 74958 True 1
Fn
Process #703: net.exe
0 0
»
Information Value
ID #703
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SHAREPOINT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:09, Reason: Child Process
Unmonitor End Time: 00:04:11, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xaf4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #704: net.exe
0 0
»
Information Value
ID #704
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SQL_2008 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:09, Reason: Child Process
Unmonitor End Time: 00:04:11, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xde0
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 610
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #705: net1.exe
17 0
»
Information Value
ID #705
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:10, Reason: Child Process
Unmonitor End Time: 00:04:10, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xedc
Parent PID 0xcf0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
private_0x00000000004b0000 0x004b0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff410000 0xff442fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff410000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:00 (UTC) True 1
Fn
Get Time type = Ticks, time = 75317 True 1
Fn
Process #706: net1.exe
17 0
»
Information Value
ID #706
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:10, Reason: Child Process
Unmonitor End Time: 00:04:10, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xd38
Parent PID 0xb08 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9E4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000560000 0x00560000 0x0056ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff410000 0xff442fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff410000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:00 (UTC) True 1
Fn
Get Time type = Ticks, time = 75239 True 1
Fn
Process #707: net.exe
0 0
»
Information Value
ID #707
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SYSTEM_BGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:10, Reason: Child Process
Unmonitor End Time: 00:04:12, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd64
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x00000000005f0000 0x005f0000 0x005fffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #708: net.exe
0 0
»
Information Value
ID #708
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$TPS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:10, Reason: Child Process
Unmonitor End Time: 00:04:11, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x848
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B00
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #709: net.exe
0 0
»
Information Value
ID #709
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$TPSAMA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:10, Reason: Child Process
Unmonitor End Time: 00:04:11, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd6c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 958
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #710: net.exe
0 0
»
Information Value
ID #710
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:10, Reason: Child Process
Unmonitor End Time: 00:04:12, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcd4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D24
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #711: net1.exe
17 0
»
Information Value
ID #711
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:10, Reason: Child Process
Unmonitor End Time: 00:04:11, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x9fc
Parent PID 0xd64 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CC0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb70000 0xffba2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb70000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:00 (UTC) True 1
Fn
Get Time type = Ticks, time = 75785 True 1
Fn
Process #712: net1.exe
17 0
»
Information Value
ID #712
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:10, Reason: Child Process
Unmonitor End Time: 00:04:11, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xac4
Parent PID 0xaf4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A68
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x001dffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0057ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb70000 0xffba2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb70000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:00 (UTC) True 1
Fn
Get Time type = Ticks, time = 75785 True 1
Fn
Process #713: net1.exe
17 0
»
Information Value
ID #713
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:10, Reason: Child Process
Unmonitor End Time: 00:04:11, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xa54
Parent PID 0xde0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A50
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0042ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0052ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb70000 0xffba2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb70000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:00 (UTC) True 1
Fn
Get Time type = Ticks, time = 75847 True 1
Fn
Process #714: net.exe
0 0
»
Information Value
ID #714
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2012 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:10, Reason: Child Process
Unmonitor End Time: 00:04:12, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x938
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 930
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #715: net.exe
0 0
»
Information Value
ID #715
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLBrowser /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:10, Reason: Child Process
Unmonitor End Time: 00:04:12, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x618
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 798
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #716: net1.exe
17 0
»
Information Value
ID #716
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$TPS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:11, Reason: Child Process
Unmonitor End Time: 00:04:11, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xbbc
Parent PID 0x848 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E9C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000220000 0x00220000 0x0022ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff1f0000 0xff222fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff1f0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:01 (UTC) True 1
Fn
Get Time type = Ticks, time = 76144 True 1
Fn
Process #717: net.exe
0 0
»
Information Value
ID #717
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLSafeOLRService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:11, Reason: Child Process
Unmonitor End Time: 00:04:13, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x548
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8DC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000080000 0x00080000 0x0017ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #718: net1.exe
17 0
»
Information Value
ID #718
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:11, Reason: Child Process
Unmonitor End Time: 00:04:11, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xbe4
Parent PID 0xd6c (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9D8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff6c0000 0xff6f2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff6c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:01 (UTC) True 1
Fn
Get Time type = Ticks, time = 76331 True 1
Fn
Process #719: net1.exe
17 0
»
Information Value
ID #719
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:11, Reason: Child Process
Unmonitor End Time: 00:04:11, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xca4
Parent PID 0xcd4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 51C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
private_0x0000000000570000 0x00570000 0x0057ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff6c0000 0xff6f2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff6c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:01 (UTC) True 1
Fn
Get Time type = Ticks, time = 76487 True 1
Fn
Process #720: net.exe
0 0
»
Information Value
ID #720
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLSERVERAGENT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:11, Reason: Child Process
Unmonitor End Time: 00:04:13, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf08
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7A4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x0000000000490000 0x00490000 0x0049ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #721: net1.exe
17 0
»
Information Value
ID #721
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:11, Reason: Child Process
Unmonitor End Time: 00:04:11, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xfc0
Parent PID 0x938 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A88
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0028ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0055ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff6c0000 0xff6f2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff6c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:01 (UTC) True 1
Fn
Get Time type = Ticks, time = 76799 True 1
Fn
Process #722: net1.exe
17 0
»
Information Value
ID #722
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLBrowser /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:11, Reason: Child Process
Unmonitor End Time: 00:04:12, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfe8
Parent PID 0x618 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 634
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x00000000004b0000 0x004b0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff6c0000 0xff6f2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff6c0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:01 (UTC) True 1
Fn
Get Time type = Ticks, time = 76721 True 1
Fn
Process #723: net.exe
0 0
»
Information Value
ID #723
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLTELEMETRY /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:11, Reason: Child Process
Unmonitor End Time: 00:04:13, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x878
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 85C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #724: net.exe
0 0
»
Information Value
ID #724
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLTELEMETRY$ECWDB2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:11, Reason: Child Process
Unmonitor End Time: 00:04:14, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc28
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E78
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x0000000000590000 0x00590000 0x0059ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #725: net.exe
0 0
»
Information Value
ID #725
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLWriter /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:11, Reason: Child Process
Unmonitor End Time: 00:04:14, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x90c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F78
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #726: net1.exe
17 0
»
Information Value
ID #726
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLSERVERAGENT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:11, Reason: Child Process
Unmonitor End Time: 00:04:12, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf98
Parent PID 0xf08 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9B0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000120000 0x00120000 0x0021ffff Private Memory rw True False False -
locale.nls 0x00220000 0x00286fff Memory Mapped File r False False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x003bffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff110000 0xff142fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff110000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:02 (UTC) True 1
Fn
Get Time type = Ticks, time = 77173 True 1
Fn
Process #727: net1.exe
17 0
»
Information Value
ID #727
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLSafeOLRService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:12, Reason: Child Process
Unmonitor End Time: 00:04:12, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x784
Parent PID 0x548 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C98
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x000fffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff110000 0xff142fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff110000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:02 (UTC) True 1
Fn
Get Time type = Ticks, time = 77189 True 1
Fn
Process #728: net.exe
0 0
»
Information Value
ID #728
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SstpSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:12, Reason: Child Process
Unmonitor End Time: 00:04:14, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x6f4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x001affff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #729: net1.exe
17 0
»
Information Value
ID #729
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLTELEMETRY /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:12, Reason: Child Process
Unmonitor End Time: 00:04:13, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x9e0
Parent PID 0x878 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 91C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb90000 0xffbc2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb90000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:02 (UTC) True 1
Fn
Get Time type = Ticks, time = 77454 True 1
Fn
Process #730: net.exe
0 0
»
Information Value
ID #730
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop svcGenericHost /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:12, Reason: Child Process
Unmonitor End Time: 00:04:14, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x940
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8B0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000100000 0x00100000 0x001fffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #731: net.exe
0 0
»
Information Value
ID #731
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop swi_filter /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:12, Reason: Child Process
Unmonitor End Time: 00:04:14, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8c8
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #732: net.exe
0 0
»
Information Value
ID #732
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop swi_service /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:12, Reason: Child Process
Unmonitor End Time: 00:04:14, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x764
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9BC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #733: net1.exe
17 0
»
Information Value
ID #733
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:12, Reason: Child Process
Unmonitor End Time: 00:04:14, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x8f4
Parent PID 0xc28 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 980
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff60000 0xfff92fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:03 (UTC) True 1
Fn
Get Time type = Ticks, time = 78109 True 1
Fn
Process #734: net1.exe
17 0
»
Information Value
ID #734
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop svcGenericHost /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:12, Reason: Child Process
Unmonitor End Time: 00:04:14, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x440
Parent PID 0x940 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 840
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x000fffff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x001fffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff60000 0xfff92fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:03 (UTC) True 1
Fn
Get Time type = Ticks, time = 78140 True 1
Fn
Process #735: net1.exe
20 0
»
Information Value
ID #735
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SstpSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:12, Reason: Child Process
Unmonitor End Time: 00:04:13, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x278
Parent PID 0x6f4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 95C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x0000000000560000 0x00560000 0x0056ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff60000 0xfff92fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 70 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = SSTPSVC True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:02 (UTC) True 1
Fn
Get Time type = Ticks, time = 77953 True 1
Fn
Process #736: net1.exe
17 0
»
Information Value
ID #736
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLWriter /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:12, Reason: Child Process
Unmonitor End Time: 00:04:14, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xffc
Parent PID 0x90c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8E0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
private_0x00000000006a0000 0x006a0000 0x006affff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfff60000 0xfff92fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef5cc0000 0x7fef5cd1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfff60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:02 (UTC) True 1
Fn
Get Time type = Ticks, time = 78031 True 1
Fn
Process #737: net.exe
0 0
»
Information Value
ID #737
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop swi_update_64 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:13, Reason: Child Process
Unmonitor End Time: 00:04:15, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x350
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7E4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #738: net.exe
0 0
»
Information Value
ID #738
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop TmCCSF /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:13, Reason: Child Process
Unmonitor End Time: 00:04:14, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8cc
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9C8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #739: net.exe
0 0
»
Information Value
ID #739
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop tmlisten /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:13, Reason: Child Process
Unmonitor End Time: 00:04:14, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xff8
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 99C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #740: net1.exe
17 0
»
Information Value
ID #740
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop swi_filter /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:13, Reason: Child Process
Unmonitor End Time: 00:04:14, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf64
Parent PID 0x8c8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 97C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0009ffff Private Memory rw True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff260000 0xff292fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff260000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:03 (UTC) True 1
Fn
Get Time type = Ticks, time = 78515 True 1
Fn
Process #741: net.exe
0 0
»
Information Value
ID #741
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop TrueKey /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:13, Reason: Child Process
Unmonitor End Time: 00:04:15, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8b4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 888
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #742: net.exe
0 0
»
Information Value
ID #742
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop TrueKeyScheduler /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:13, Reason: Child Process
Unmonitor End Time: 00:04:15, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x234
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 81C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #743: net1.exe
17 0
»
Information Value
ID #743
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop swi_service /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:13, Reason: Child Process
Unmonitor End Time: 00:04:15, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x530
Parent PID 0x764 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa60000 0xffa92fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:03 (UTC) True 1
Fn
Get Time type = Ticks, time = 78858 True 1
Fn
Process #744: net1.exe
17 0
»
Information Value
ID #744
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop swi_update_64 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:13, Reason: Child Process
Unmonitor End Time: 00:04:14, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf40
Parent PID 0x350 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 954
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa60000 0xffa92fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:03 (UTC) True 1
Fn
Get Time type = Ticks, time = 78889 True 1
Fn
Process #745: net1.exe
17 0
»
Information Value
ID #745
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop TmCCSF /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:13, Reason: Child Process
Unmonitor End Time: 00:04:15, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x86c
Parent PID 0x8cc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 84C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x001dffff Private Memory rw True False False -
locale.nls 0x001e0000 0x00246fff Memory Mapped File r False False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa60000 0xffa92fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:03 (UTC) True 1
Fn
Get Time type = Ticks, time = 78858 True 1
Fn
Process #746: net.exe
0 0
»
Information Value
ID #746
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop TrueKeyServiceHelper /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:13, Reason: Child Process
Unmonitor End Time: 00:04:14, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe18
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F88
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #747: net.exe
0 0
»
Information Value
ID #747
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop UI0Detect /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:13, Reason: Child Process
Unmonitor End Time: 00:04:15, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7d8
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F2C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #748: net1.exe
17 0
»
Information Value
ID #748
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop tmlisten /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:14, Reason: Child Process
Unmonitor End Time: 00:04:14, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xfbc
Parent PID 0xff8 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 738
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0036ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff9f0000 0xffa22fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff9f0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:04 (UTC) True 1
Fn
Get Time type = Ticks, time = 79201 True 1
Fn
Process #749: net1.exe
17 0
»
Information Value
ID #749
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop TrueKeyScheduler /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:14, Reason: Child Process
Unmonitor End Time: 00:04:14, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xf20
Parent PID 0x234 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B28
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x003bffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff160000 0xff192fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff160000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:04 (UTC) True 1
Fn
Get Time type = Ticks, time = 79435 True 1
Fn
Process #750: net1.exe
17 0
»
Information Value
ID #750
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop TrueKey /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:14, Reason: Child Process
Unmonitor End Time: 00:04:14, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x8a0
Parent PID 0x8b4 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
private_0x00000000004f0000 0x004f0000 0x004fffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff160000 0xff192fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff160000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:04 (UTC) True 1
Fn
Get Time type = Ticks, time = 79451 True 1
Fn
Process #751: net.exe
0 0
»
Information Value
ID #751
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamBackupSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:14, Reason: Child Process
Unmonitor End Time: 00:04:15, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x510
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E7C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #752: net.exe
0 0
»
Information Value
ID #752
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamBrokerSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:14, Reason: Child Process
Unmonitor End Time: 00:04:15, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbf0
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 780
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #753: net1.exe
20 0
»
Information Value
ID #753
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop UI0Detect /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:14, Reason: Child Process
Unmonitor End Time: 00:04:15, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x348
Parent PID 0x7d8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B24
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x004bffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff560000 0xff592fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 60 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff560000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = UI0DETECT True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:04 (UTC) True 1
Fn
Get Time type = Ticks, time = 79747 True 1
Fn
Process #754: net1.exe
17 0
»
Information Value
ID #754
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:14, Reason: Child Process
Unmonitor End Time: 00:04:15, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xde4
Parent PID 0xe18 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A90
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x0017ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff560000 0xff592fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff560000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:04 (UTC) True 1
Fn
Get Time type = Ticks, time = 79747 True 1
Fn
Process #755: net.exe
0 0
»
Information Value
ID #755
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamCatalogSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:14, Reason: Child Process
Unmonitor End Time: 00:04:15, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa08
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 900
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #756: net.exe
0 0
»
Information Value
ID #756
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamCloudSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:14, Reason: Child Process
Unmonitor End Time: 00:04:16, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x964
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D88
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0054ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #757: net1.exe
17 0
»
Information Value
ID #757
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamBackupSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:15, Reason: Child Process
Unmonitor End Time: 00:04:15, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x9d4
Parent PID 0x510 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 984
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff560000 0xff592fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff560000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:05 (UTC) True 1
Fn
Get Time type = Ticks, time = 80153 True 1
Fn
Process #758: net.exe
0 0
»
Information Value
ID #758
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamDeploymentService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:15, Reason: Child Process
Unmonitor End Time: 00:04:16, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbe8
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7DC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #759: net.exe
0 0
»
Information Value
ID #759
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamDeploySvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:15, Reason: Child Process
Unmonitor End Time: 00:04:16, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc58
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 220
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #760: net1.exe
17 0
»
Information Value
ID #760
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamCloudSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:15, Reason: Child Process
Unmonitor End Time: 00:04:15, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x8ac
Parent PID 0x964 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C78
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0029ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff7b0000 0xff7e2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff7b0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:05 (UTC) True 1
Fn
Get Time type = Ticks, time = 80480 True 1
Fn
Process #761: net1.exe
17 0
»
Information Value
ID #761
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamBrokerSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:15, Reason: Child Process
Unmonitor End Time: 00:04:15, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xed0
Parent PID 0xbf0 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A20
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x0000000000500000 0x00500000 0x0050ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff7b0000 0xff7e2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff7b0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:05 (UTC) True 1
Fn
Get Time type = Ticks, time = 80496 True 1
Fn
Process #762: net1.exe
17 0
»
Information Value
ID #762
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamCatalogSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:15, Reason: Child Process
Unmonitor End Time: 00:04:16, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x850
Parent PID 0xa08 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x00000000004c0000 0x004c0000 0x004cffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff7b0000 0xff7e2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff7b0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:05 (UTC) True 1
Fn
Get Time type = Ticks, time = 80496 True 1
Fn
Process #763: net.exe
0 0
»
Information Value
ID #763
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamEnterpriseManagerSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:15, Reason: Child Process
Unmonitor End Time: 00:04:16, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa8c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 504
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x00000000001d0000 0x001d0000 0x001dffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #764: net1.exe
17 0
»
Information Value
ID #764
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamDeploySvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:15, Reason: Child Process
Unmonitor End Time: 00:04:16, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xb7c
Parent PID 0xc58 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
private_0x0000000000650000 0x00650000 0x0065ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff1e0000 0xff212fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff1e0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:05 (UTC) True 1
Fn
Get Time type = Ticks, time = 80855 True 1
Fn
Process #765: net1.exe
17 0
»
Information Value
ID #765
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamDeploymentService /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:15, Reason: Child Process
Unmonitor End Time: 00:04:15, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xb60
Parent PID 0xbe8 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 880
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0006ffff Private Memory rw True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff1e0000 0xff212fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff1e0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:05 (UTC) True 1
Fn
Get Time type = Ticks, time = 80808 True 1
Fn
Process #766: net.exe
0 0
»
Information Value
ID #766
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamMountSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:15, Reason: Child Process
Unmonitor End Time: 00:04:16, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd3c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D20
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #767: net.exe
0 0
»
Information Value
ID #767
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamNFSSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:15, Reason: Child Process
Unmonitor End Time: 00:04:16, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xef4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 128
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #768: net1.exe
17 0
»
Information Value
ID #768
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:16, Reason: Child Process
Unmonitor End Time: 00:04:16, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xff4
Parent PID 0xa8c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 730
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
private_0x0000000000630000 0x00630000 0x0063ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff080000 0xff0b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff080000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 81104 True 1
Fn
Process #769: net.exe
0 0
»
Information Value
ID #769
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamRESTSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:16, Reason: Child Process
Unmonitor End Time: 00:04:17, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcac
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 708
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #770: net.exe
0 0
»
Information Value
ID #770
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamTransportSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:16, Reason: Child Process
Unmonitor End Time: 00:04:17, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xaa8
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D74
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000120000 0x00120000 0x0021ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #771: net1.exe
17 0
»
Information Value
ID #771
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamNFSSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:16, Reason: Child Process
Unmonitor End Time: 00:04:16, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xc40
Parent PID 0xef4 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 96C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
private_0x00000000006c0000 0x006c0000 0x006cffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff600000 0xff632fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff600000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 81385 True 1
Fn
Process #772: net1.exe
17 0
»
Information Value
ID #772
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamMountSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:16, Reason: Child Process
Unmonitor End Time: 00:04:16, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xbd8
Parent PID 0xd3c (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x0000000000250000 0x00250000 0x0025ffff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff600000 0xff632fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff600000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 81401 True 1
Fn
Process #773: net.exe
0 0
»
Information Value
ID #773
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop W3Svc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:16, Reason: Child Process
Unmonitor End Time: 00:04:17, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xff0
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A10
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #774: net.exe
0 0
»
Information Value
ID #774
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop wbengine /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:16, Reason: Child Process
Unmonitor End Time: 00:04:17, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x804
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9D0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0056ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #775: net1.exe
17 0
»
Information Value
ID #775
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamTransportSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:16, Reason: Child Process
Unmonitor End Time: 00:04:16, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x338
Parent PID 0xaa8 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 838
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb30000 0xffb62fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb30000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 81713 True 1
Fn
Process #776: net1.exe
17 0
»
Information Value
ID #776
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamRESTSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:16, Reason: Child Process
Unmonitor End Time: 00:04:17, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc5c
Parent PID 0xcac (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C50
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x002affff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb30000 0xffb62fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb30000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 81838 True 1
Fn
Process #777: net.exe
0 0
»
Information Value
ID #777
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop WRSVC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:16, Reason: Child Process
Unmonitor End Time: 00:04:17, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x6f0
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #778: net.exe
0 0
»
Information Value
ID #778
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$VEEAMSQL2008R2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:16, Reason: Child Process
Unmonitor End Time: 00:04:17, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb20
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F38
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #779: net1.exe
17 0
»
Information Value
ID #779
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop W3Svc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:16, Reason: Child Process
Unmonitor End Time: 00:04:17, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xf94
Parent PID 0xff0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EE4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x0015ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb30000 0xffb62fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb30000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 82040 True 1
Fn
Process #780: net1.exe
20 0
»
Information Value
ID #780
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop wbengine /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:16, Reason: Child Process
Unmonitor End Time: 00:04:18, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xf10
Parent PID 0x804 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B3C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x0007ffff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
locale.nls 0x00250000 0x002b6fff Memory Mapped File r False False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffb30000 0xffb62fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 63 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffb30000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = WBENGINE True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 82009 True 1
Fn
Process #781: net.exe
0 0
»
Information Value
ID #781
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:17, Reason: Child Process
Unmonitor End Time: 00:04:18, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd14
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x00000000000e0000 0x000e0000 0x001dffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #782: net.exe
0 0
»
Information Value
ID #782
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop VeeamHvIntegrationSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:17, Reason: Child Process
Unmonitor End Time: 00:04:18, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfd4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x ED4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x0051ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #783: net1.exe
17 0
»
Information Value
ID #783
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop WRSVC /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:17, Reason: Child Process
Unmonitor End Time: 00:04:17, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xd98
Parent PID 0x6f0 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D2C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff880000 0xff8b2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff880000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:07 (UTC) True 1
Fn
Get Time type = Ticks, time = 82321 True 1
Fn
Process #784: net.exe
0 0
»
Information Value
ID #784
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop swi_update /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:17, Reason: Child Process
Unmonitor End Time: 00:04:19, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xea4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F00
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #785: net1.exe
17 0
»
Information Value
ID #785
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:17, Reason: Child Process
Unmonitor End Time: 00:04:17, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xd7c
Parent PID 0xb20 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E50
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0027ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffea0000 0xffed2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffea0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:07 (UTC) True 1
Fn
Get Time type = Ticks, time = 82477 True 1
Fn
Process #786: net1.exe
17 0
»
Information Value
ID #786
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:17, Reason: Child Process
Unmonitor End Time: 00:04:17, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xdf0
Parent PID 0xd14 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EB8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x0000000000490000 0x00490000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffea0000 0xffed2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffea0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:07 (UTC) True 1
Fn
Get Time type = Ticks, time = 82493 True 1
Fn
Process #787: net.exe
0 0
»
Information Value
ID #787
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$CXDB /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:17, Reason: Child Process
Unmonitor End Time: 00:04:19, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7ac
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E94
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #788: net.exe
0 0
»
Information Value
ID #788
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$CITRIX_METAFRAME /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:17, Reason: Child Process
Unmonitor End Time: 00:04:19, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7a8
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #789: net.exe
0 0
»
Information Value
ID #789
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "SQL Backups" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:17, Reason: Child Process
Unmonitor End Time: 00:04:19, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe58
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B90
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #790: net1.exe
17 0
»
Information Value
ID #790
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:17, Reason: Child Process
Unmonitor End Time: 00:04:19, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xf84
Parent PID 0xfd4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DD0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfffa0000 0xfffd2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfffa0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:07 (UTC) True 1
Fn
Get Time type = Ticks, time = 82914 True 1
Fn
Process #791: net1.exe
17 0
»
Information Value
ID #791
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop swi_update /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:17, Reason: Child Process
Unmonitor End Time: 00:04:18, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc4c
Parent PID 0xea4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8A4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x0000000000510000 0x00510000 0x0051ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfffa0000 0xfffd2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfffa0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:07 (UTC) True 1
Fn
Get Time type = Ticks, time = 82883 True 1
Fn
Process #792: net1.exe
17 0
»
Information Value
ID #792
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "SQL Backups" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:18, Reason: Child Process
Unmonitor End Time: 00:04:18, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x7e8
Parent PID 0xe58 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EE8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfffa0000 0xfffd2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfffa0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:08 (UTC) True 1
Fn
Get Time type = Ticks, time = 83273 True 1
Fn
Process #793: net1.exe
17 0
»
Information Value
ID #793
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:18, Reason: Child Process
Unmonitor End Time: 00:04:18, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xbec
Parent PID 0x7a8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000cffff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfffa0000 0xfffd2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfffa0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:08 (UTC) True 1
Fn
Get Time type = Ticks, time = 83195 True 1
Fn
Process #794: net1.exe
17 0
»
Information Value
ID #794
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$CXDB /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:18, Reason: Child Process
Unmonitor End Time: 00:04:19, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xfa4
Parent PID 0x7ac (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 15C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
private_0x0000000000520000 0x00520000 0x0052ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xfffa0000 0xfffd2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xfffa0000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:08 (UTC) True 1
Fn
Get Time type = Ticks, time = 83179 True 1
Fn
Process #795: net.exe
0 0
»
Information Value
ID #795
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$PROD /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:18, Reason: Child Process
Unmonitor End Time: 00:04:19, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbac
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x ABC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #796: net.exe
0 0
»
Information Value
ID #796
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop "Zoolz 2 Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:18, Reason: Child Process
Unmonitor End Time: 00:04:19, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa34
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #797: net.exe
0 0
»
Information Value
ID #797
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQLServerADHelper /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:18, Reason: Child Process
Unmonitor End Time: 00:04:19, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdc0
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DCC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0023ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #798: net1.exe
17 0
»
Information Value
ID #798
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$PROD /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:18, Reason: Child Process
Unmonitor End Time: 00:04:18, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xa24
Parent PID 0xbac (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x002affff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffe90000 0xffec2fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffe90000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:08 (UTC) True 1
Fn
Get Time type = Ticks, time = 83476 True 1
Fn
Process #799: net.exe
0 0
»
Information Value
ID #799
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$PROD /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:18, Reason: Child Process
Unmonitor End Time: 00:04:19, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb50
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 89C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #800: net.exe
0 0
»
Information Value
ID #800
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop msftesql$PROD /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:18, Reason: Child Process
Unmonitor End Time: 00:04:19, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdb8
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8E8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #801: net1.exe
17 0
»
Information Value
ID #801
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQLServerADHelper /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:18, Reason: Child Process
Unmonitor End Time: 00:04:18, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x8c4
Parent PID 0xdc0 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BB0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x0000000000520000 0x00520000 0x0052ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd00000 0xffd32fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:08 (UTC) True 1
Fn
Get Time type = Ticks, time = 83788 True 1
Fn
Process #802: net1.exe
17 0
»
Information Value
ID #802
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop "Zoolz 2 Service" /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:18, Reason: Child Process
Unmonitor End Time: 00:04:18, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xce4
Parent PID 0xa34 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B8C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x0000000000490000 0x00490000 0x0049ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffd00000 0xffd32fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffd00000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:08 (UTC) True 1
Fn
Get Time type = Ticks, time = 83866 True 1
Fn
Process #803: net.exe
0 0
»
Information Value
ID #803
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop NetMsmqActivator /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:18, Reason: Child Process
Unmonitor End Time: 00:04:20, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xebc
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D28
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #804: net.exe
0 0
»
Information Value
ID #804
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop EhttpSrv /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:18, Reason: Child Process
Unmonitor End Time: 00:04:20, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbc0
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9A8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #805: net1.exe
17 0
»
Information Value
ID #805
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop msftesql$PROD /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:19, Reason: Child Process
Unmonitor End Time: 00:04:19, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x8d4
Parent PID 0xdb8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 924
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File r False False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff230000 0xff262fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff230000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:09 (UTC) True 1
Fn
Get Time type = Ticks, time = 84162 True 1
Fn
Process #806: net1.exe
17 0
»
Information Value
ID #806
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$PROD /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:19, Reason: Child Process
Unmonitor End Time: 00:04:19, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xd9c
Parent PID 0xb50 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E0C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff230000 0xff262fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff230000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:09 (UTC) True 1
Fn
Get Time type = Ticks, time = 84209 True 1
Fn
Process #807: net.exe
0 0
»
Information Value
ID #807
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ekrn /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:19, Reason: Child Process
Unmonitor End Time: 00:04:20, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x874
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C24
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #808: net.exe
0 0
»
Information Value
ID #808
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop ESHASRV /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:19, Reason: Child Process
Unmonitor End Time: 00:04:20, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xeec
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F3C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #809: net1.exe
17 0
»
Information Value
ID #809
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop EhttpSrv /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:19, Reason: Child Process
Unmonitor End Time: 00:04:19, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0x7f8
Parent PID 0xbc0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E00
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory rw True False False -
locale.nls 0x00250000 0x002b6fff Memory Mapped File r False False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa40000 0xffa72fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:09 (UTC) True 1
Fn
Get Time type = Ticks, time = 84458 True 1
Fn
Process #810: net1.exe
20 0
»
Information Value
ID #810
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop NetMsmqActivator /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:19, Reason: Child Process
Unmonitor End Time: 00:04:20, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x520
Parent PID 0xebc (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000005d0000 0x005d0000 0x005dffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa40000 0xffa72fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 55 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = NETMSMQACTIVATOR True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:09 (UTC) True 1
Fn
Get Time type = Ticks, time = 84614 True 1
Fn
Process #811: net.exe
0 0
»
Information Value
ID #811
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SOPHOS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:19, Reason: Child Process
Unmonitor End Time: 00:04:20, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd70
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 908
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x00276fff Memory Mapped File r False False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #812: net.exe
0 0
»
Information Value
ID #812
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SOPHOS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:19, Reason: Child Process
Unmonitor End Time: 00:04:20, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcf4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x D00
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #813: net1.exe
17 0
»
Information Value
ID #813
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ESHASRV /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:19, Reason: Child Process
Unmonitor End Time: 00:04:20, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc04
Parent PID 0xeec (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
locale.nls 0x001f0000 0x00256fff Memory Mapped File r False False False -
private_0x00000000002d0000 0x002d0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa40000 0xffa72fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:09 (UTC) True 1
Fn
Get Time type = Ticks, time = 84895 True 1
Fn
Process #814: net1.exe
17 0
»
Information Value
ID #814
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop ekrn /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:19, Reason: Child Process
Unmonitor End Time: 00:04:20, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc74
Parent PID 0x874 (c:\windows\system32\taskkill.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x C3C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x00000000000e0000 0x000e0000 0x001dffff Private Memory rw True False False -
locale.nls 0x001e0000 0x00246fff Memory Mapped File r False False False -
private_0x0000000000330000 0x00330000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffa40000 0xffa72fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffa40000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:09 (UTC) True 1
Fn
Get Time type = Ticks, time = 84864 True 1
Fn
Process #815: net.exe
0 0
»
Information Value
ID #815
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop AVP /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:19, Reason: Child Process
Unmonitor End Time: 00:04:20, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xae8
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B74
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #816: net.exe
0 0
»
Information Value
ID #816
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop klnagent /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:20, Reason: Child Process
Unmonitor End Time: 00:04:21, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc6c
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B64
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x001cffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #817: net1.exe
17 0
»
Information Value
ID #817
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:20, Reason: Child Process
Unmonitor End Time: 00:04:20, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xcc8
Parent PID 0xd70 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory rw True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0018ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff390000 0xff3c2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff390000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:10 (UTC) True 1
Fn
Get Time type = Ticks, time = 85254 True 1
Fn
Process #818: net.exe
0 0
»
Information Value
ID #818
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop MSSQL$SQLEXPRESS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:20, Reason: Child Process
Unmonitor End Time: 00:04:21, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xab4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7D0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x0022ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #819: net1.exe
17 0
»
Information Value
ID #819
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:20, Reason: Child Process
Unmonitor End Time: 00:04:20, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xa98
Parent PID 0xcf4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BCC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0023ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffc70000 0xffca2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffc70000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:10 (UTC) True 1
Fn
Get Time type = Ticks, time = 85519 True 1
Fn
Process #820: net1.exe
17 0
»
Information Value
ID #820
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop AVP /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:20, Reason: Child Process
Unmonitor End Time: 00:04:20, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xb04
Parent PID 0xae8 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A94
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
private_0x0000000000560000 0x00560000 0x0056ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffc70000 0xffca2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffc70000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:10 (UTC) True 1
Fn
Get Time type = Ticks, time = 85488 True 1
Fn
Process #821: net.exe
0 0
»
Information Value
ID #821
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop SQLAgent$SQLEXPRESS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:20, Reason: Child Process
Unmonitor End Time: 00:04:22, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xd78
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CD8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #822: net.exe
0 0
»
Information Value
ID #822
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop wbengine /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:20, Reason: Child Process
Unmonitor End Time: 00:04:22, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xaa4
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E14
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #823: net.exe
0 0
»
Information Value
ID #823
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop kavfsslp /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:20, Reason: Child Process
Unmonitor End Time: 00:04:23, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xaf0
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 808
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
private_0x0000000000570000 0x00570000 0x0057ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #824: net1.exe
17 0
»
Information Value
ID #824
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop klnagent /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:20, Reason: Child Process
Unmonitor End Time: 00:04:21, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc54
Parent PID 0xc6c (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x EDC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
locale.nls 0x001f0000 0x00256fff Memory Mapped File r False False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0037ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff300000 0xff332fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff300000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:11 (UTC) True 1
Fn
Get Time type = Ticks, time = 86268 True 1
Fn
Process #825: net1.exe
17 0
»
Information Value
ID #825
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:20, Reason: Child Process
Unmonitor End Time: 00:04:21, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xb08
Parent PID 0xab4 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E04
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000f0000 0x000f0000 0x000fffff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x001fffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff300000 0xff332fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff300000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:10 (UTC) True 1
Fn
Get Time type = Ticks, time = 85925 True 1
Fn
Process #826: net.exe
0 0
»
Information Value
ID #826
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop KAVFSGT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:20, Reason: Child Process
Unmonitor End Time: 00:04:23, Reason: Self Terminated
Monitor Duration 00:00:03
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xcf0
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A14
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #827: net1.exe
17 0
»
Information Value
ID #827
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:20, Reason: Child Process
Unmonitor End Time: 00:04:21, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xc80
Parent PID 0xd78 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DF4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
locale.nls 0x001d0000 0x00236fff Memory Mapped File r False False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0037ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff300000 0xff332fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff300000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:11 (UTC) True 1
Fn
Get Time type = Ticks, time = 86128 True 1
Fn
Process #828: net1.exe
20 0
»
Information Value
ID #828
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop wbengine /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:20, Reason: Child Process
Unmonitor End Time: 00:04:21, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xac8
Parent PID 0xaa4 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 83C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
private_0x0000000000560000 0x00560000 0x0056ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff300000 0xff332fff Memory Mapped File rwx True False False -
browcli.dll 0x7fef6aa0000 0x7fef6ab1fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 63 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff300000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (5)
»
Operation Additional Information Success Count Logfile
Get Display Name database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = WBENGINE True 1
Fn
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:11 (UTC) True 1
Fn
Get Time type = Ticks, time = 86128 True 1
Fn
Process #829: net.exe
0 0
»
Information Value
ID #829
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop KAVFS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:21, Reason: Child Process
Unmonitor End Time: 00:04:23, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa54
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #830: net.exe
0 0
»
Information Value
ID #830
File Name c:\windows\system32\net.exe
Command Line "C:\Windows\System32\net.exe" stop mfefire /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:21, Reason: Child Process
Unmonitor End Time: 00:04:23, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xde0
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 884
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net.exe 0xffa50000 0xffa6bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #831: cmd.exe
59 0
»
Information Value
ID #831
File Name c:\windows\system32\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xhcdxx.exe" /f
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:21, Reason: Child Process
Unmonitor End Time: 00:04:23, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xe20
Parent PID 0x75c (c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 448
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory rw True False False -
locale.nls 0x00170000 0x001d6fff Memory Mapped File r False False False -
private_0x00000000001e0000 0x001e0000 0x001e0fff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0031ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0048ffff Private Memory rw True False False -
pagefile_0x0000000000490000 0x00490000 0x00617fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000620000 0x00620000 0x007a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007b0000 0x007b0000 0x01baffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001bb0000 0x01bb0000 0x01ef2fff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01f00000 0x021cefff Memory Mapped File r False False False -
cmd.exe 0x4a930000 0x4a988fff Memory Mapped File rwx True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
winbrand.dll 0x7fefad10000 0x7fefad17fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Open STD_OUTPUT_HANDLE - True 5
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\reg.exe os_pid = 0xa28, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4a930000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x76aa0000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x76ab6d40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x76ab23d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x76aa8290 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x76ab17e0 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:11 (UTC) True 1
Fn
Get Time type = Ticks, time = 86908 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #832: dwm.exe
30188 0
»
Information Value
ID #832
File Name c:\windows\system32\dwm.exe
Command Line "C:\Windows\system32\Dwm.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:21, Reason: Injection
Unmonitor End Time: 00:05:05, Reason: Terminated by Timeout
Monitor Duration 00:00:44
OS Process Information
»
Information Value
PID 0x380
Parent PID 0x340 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x DFC
0x DE8
0x 150
0x 3DC
0x 3A8
0x CFC
0x 7FC
0x 784
0x B9C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00051fff Pagefile Backed Memory rw True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory rw True False False -
private_0x0000000000070000 0x00070000 0x00070fff Private Memory rw True False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory rw True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x001b0fff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x001c2fff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
locale.nls 0x00250000 0x002b6fff Memory Mapped File r False False False -
pagefile_0x00000000002c0000 0x002c0000 0x00447fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000450000 0x00450000 0x005d0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005e0000 0x005e0000 0x019dffff Pagefile Backed Memory r True False False -
pagefile_0x00000000019e0000 0x019e0000 0x01dd2fff Pagefile Backed Memory r True False False -
private_0x0000000001de0000 0x01de0000 0x01edffff Private Memory rw True False False -
private_0x0000000001f10000 0x01f10000 0x01f1ffff Private Memory rw True False False -
pagefile_0x0000000001f20000 0x01f20000 0x01ffefff Pagefile Backed Memory r True False False -
rsaenh.dll 0x02000000 0x02044fff Memory Mapped File r False False False -
private_0x0000000002050000 0x02050000 0x020cffff Private Memory rw True False False -
private_0x00000000020d0000 0x020d0000 0x021cffff Private Memory rw True False False -
private_0x0000000002270000 0x02270000 0x022effff Private Memory rw True False False -
private_0x0000000002300000 0x02300000 0x0237ffff Private Memory rw True False False -
private_0x0000000002380000 0x02380000 0x02474fff Private Memory rw True False False -
private_0x00000000023d0000 0x023d0000 0x0244ffff Private Memory rw True False False -
private_0x0000000002410000 0x02410000 0x0248ffff Private Memory rw True False False -
sortdefault.nls 0x02490000 0x0275efff Memory Mapped File r False False False -
private_0x0000000002760000 0x02760000 0x02854fff Private Memory rw True False False -
private_0x00000000027d0000 0x027d0000 0x0284ffff Private Memory rw True False False -
private_0x00000000027f0000 0x027f0000 0x0286ffff Private Memory rw True False False -
private_0x0000000002850000 0x02850000 0x02944fff Private Memory rw True False False -
private_0x00000000028f0000 0x028f0000 0x0296ffff Private Memory rw True False False -
private_0x00000000029a0000 0x029a0000 0x02a1ffff Private Memory rw True False False -
private_0x0000000002a20000 0x02a20000 0x02b14fff Private Memory rw True False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
psapi.dll 0x76e80000 0x76e86fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
dwm.exe 0xffc10000 0xffc32fff Memory Mapped File rwx False False False -
private_0x000000013f490000 0x13f490000 0x13f4c5fff Private Memory rwx True False False -
dxgi.dll 0x7fefa1c0000 0x7fefa266fff Memory Mapped File rwx False False False -
d3d10_1core.dll 0x7fefa270000 0x7fefa2c4fff Memory Mapped File rwx False False False -
d3d10_1.dll 0x7fefa2d0000 0x7fefa303fff Memory Mapped File rwx False False False -
dwmcore.dll 0x7fefa310000 0x7fefa4a1fff Memory Mapped File rwx False False False -
dwmredir.dll 0x7fefa4b0000 0x7fefa4d6fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
windowscodecs.dll 0x7fefafc0000 0x7fefb0e9fff Memory Mapped File rwx False False False -
dwmapi.dll 0x7fefb130000 0x7fefb147fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fefb560000 0x7fefb5b5fff Memory Mapped File rwx False False False -
version.dll 0x7fefbdd0000 0x7fefbddbfff Memory Mapped File rwx False False False -
userenv.dll 0x7fefbfb0000 0x7fefbfcdfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
profapi.dll 0x7fefcc10000 0x7fefcc1efff Memory Mapped File rwx False False False -
msasn1.dll 0x7fefccb0000 0x7fefccbefff Memory Mapped File rwx False False False -
wintrust.dll 0x7fefcd00000 0x7fefcd39fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
crypt32.dll 0x7fefcdd0000 0x7fefcf36fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
shell32.dll 0x7fefd440000 0x7fefe1c7fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #420: c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe 0x760 address = 0x13f490000, size = 221184 True 1
Fn
Data
Create Remote Thread #420: c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe 0x760 address = 0x13f491a30 True 1
Fn
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f 0.05 KB MD5: 93a5aadeec082ffc1bca5aa27af70f52
SHA1: 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256: a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SSDeep: 3:/lE7L6N:+L6N 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3388679973-3930757225-3770151564-1000\08e575673cce10c72090304839888e02_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f 0.33 KB MD5: 8bf794b7460c17e493e80cb6fbabcff9
SHA1: 0f91c64eb443f440f3cdee0b7fb3dbd45c33866c
SHA256: b58534e40e580b8c8fee0d54447931e31dbfd651f342f04a223d10e313964216
SSDeep: 6:9LWEtB95Kfv4udvNclVR1G3eECNkDkSJsmMwZgB9y3sM+xxUp47aHtkn:P95ivLs9GuysmMwZeOsMA1YSn 		False
...
C:\ProgramData\RyukReadMe.txt 0.78 KB MD5: cf525d95dcf6b4a874727fd34f62c7ec
SHA1: cbb47b81c1fad34bcd3604dc978f137006d33440
SHA256: 0b07aceb0d18cd1edf368fc9c60d19b00b2c4d5a077a412cabbad9172f2f64f3
SSDeep: 24:iVezHysv9F2Ob/87gPsoU3gMqvKHHLb1+y3RhXY2bfbX9n:xzSsv9FjxFiH0iDbfbX9 		False
...
Modified Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\09_Music_played_the_most.wpl 1.28 KB MD5: 7f27bf2225642a9936aca940126177d3
SHA1: b544a88ef320f3e561fbb779bfc33e298e9bc48d
SHA256: 604a81c49a0ade7abe5c9fe661246e5f128831a6cea7cbaa792a09ec6d2e0fc5
SSDeep: 24:0yeEFJ//HDwEQ9z8HeLo4CH11nk/gKc4qzxVdq+hFWBfV:0lqJzzQq+Lo4CH1tkoK/qFV9FWz 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect\CREDHIST 0.44 KB MD5: 12a8e3668c8adf2ef092bde5437344c9
SHA1: 17e928bf0e8adc04f1e5951d644ebb72074ff76d
SHA256: b72934c2766d5b6463666298778f3f605670fc4c8a66f228c23ef26313956dd5
SSDeep: 12:tV78bv3M0rx+AoAp8MHa7lrygO9x+lXzPjpGN0I7:P78bvM0rx++8M69ydcPjpGuA 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9 1.91 KB MD5: cf0dc4913731f8ebe0884eae12392320
SHA1: 77309319b3acace0e404092902596bd88183254f
SHA256: a073c9d1da9a123cc0b9ffcf612edac0571a4fd4a3b86109aaea0b6c825516f0
SSDeep: 48:c4+64/qHjt/yycXdgsC7GtGKWGdEDQRoU4+fYMhIE2q:ld4/uIyadgTKFWfsRLH0ER 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\aYwgxqz6BAssQOg4q.gif 42.22 KB MD5: 239e07b5679e67bb719e3d3614a7c537
SHA1: 8065c9d979f63438d9229c1a7c5b8b117b6ecf05
SHA256: 6af56eb83471c02318735b331cf3a76fee298b35a600fbe4f701b242e3ea6048
SSDeep: 768:jeE9emQC3SKqkIJD6BIwz2CZYCIrXcGnNPdZS/scUQ/JqaNh8kuCh10fq7XFEX:z9emh3SKqkI8Hk7lNF4U3Q/JnhafqpE 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\jss_J-w0YpDsHpPrs.pps 59.63 KB MD5: 782f9f53791f23bd0b3a259d99065116
SHA1: a1fd7bea6519ce807e1b9f27f7810cf82a5fa3a7
SHA256: b85f4bdfcac7a56f04ceed5adf79a9b0e6554de3dbc210f9fe66f91f449f9b2c
SSDeep: 1536:uyhwLbkyBAyEW28vV2xEtS7ED1u50R8Wd5eheIJM/Gm:uyhwfkyBCW2G0aG6u5Aah9Dm 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220 0.99 KB MD5: 05e5309a924dc81d4495ce93992390a3
SHA1: 74da1df66e6c5899187086d6f74ac0ab15d5ec37
SHA256: e607ca36afc2333a8688edc120bd89caf54c733f7d78f1be0ad7fd4c79d52547
SSDeep: 24:uaPnIimEER8H3giCoaWTgjoa/YtYCrto/TvFOH8gYYoao3HvxfaMfTeqA:RnIi4R8H3xQegjR/YX8F+8nYCXJhC 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\7332KiZ.jpg 42.13 KB MD5: 4ecb5e1a999a6e9a78e73958bb512da6
SHA1: 24565d93ea4150c87ea533649e012eee9ed9282c
SHA256: b322198dbbff8aeaee5e2c2a38ca9fe6c6a87694f6f9aeb60c252c8a52a616d3
SSDeep: 768:YavWVam9BPMQBmgxxTS81mkph9BQ5rvqtShCkbuz30aAzJ4YnK9sDaMMIr7WyP2I:AVam9hMUmgxH1mEOIShCh3uuYnDMIqI 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD 2.00 KB MD5: fdfe7631059f4e760614a3bd224b324d
SHA1: 132f5bfd53dd04c766ca2b7c8ce10ce4d5e9b0f4
SHA256: d3c7e17a4ac63b7e584975e5567b92c1f24af6cfcc835b904c0a18cf96d71c65
SSDeep: 48:e6leryfTyrbVFStU0dbjzZcGbd8b4/4meCiQ0ayhF:eeeryfWPVgzeId8c/4meCiQ0D 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\10_All_Music.wpl 1.31 KB MD5: c7a115c492faf5465059838be784ed8f
SHA1: 875a8fbad88236feb2af520920ef0aedce2b397f
SHA256: 1479f2eb8536fc267ab2f4a09a0e5427c1376b6b629f78c021cf7f86a710fe33
SSDeep: 24:X2/7k8eAQVk+xutwiMaWGpMdrxCCjSt2mQozaTJhmyKO3Qfcil/u:I7LJQV3xuCiMdoMza27waGyBgfcgu 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61 0.67 KB MD5: 9ec4ce3f02d5844566c9d7adcf067b6f
SHA1: b4fd63e1822bcc6f3a98f09b5c517e76fb05904d
SHA256: c99b1f9df625572ee45a4e7d50ecb0fedb3cbb9646ad344a8370bc7d6dfc2fb9
SSDeep: 12:oAdB7zTomjAEHNhBlXlnCOQhuXwHGJ6mn4SZxkh38QFS2CzkBhqXn:bdB7zrjBpZpCOQoXwHm4Ci88SkTq3 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect\S-1-5-21-3388679973-3930757225-3770151564-1000\0e15476d-d8fe-46ca-8099-ebdcf80f637c 0.74 KB MD5: fa88712fba1431205fb95f6559e5469b
SHA1: 8981a5c5908c3170c7c9c7e88a1c87a9940556b5
SHA256: ed81a65994e7f585a56c207649a44974043cd061a32a8f6095540813954073dd
SSDeep: 12:WNPuQiodsqo1elKDqoFEFhhmUu4iadzvMg6nNeTkDTvyideGGemwKnuSSCi6C2Iq:WNWQioGq26tmUzz4NykHvyiWeNKnuRC5 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450 0.69 KB MD5: fae30a75a6a6ff4aadd23212b2eba32f
SHA1: 1d2c1c781ca22b75d629fef249d56262dda6a158
SHA256: 3cda79e9eadb8ebbd8211cd15997f0a7535d236c11b295266625f74dbdf11367
SSDeep: 12:4WySUWzV/7apxO/QHSIPf+ybe6N6SMwaeqxV566u5mY2SNiE4vxttDlTRdYmbx/0:4Wy+xGTOIPfq6MwarX56XojS+pTTd/Af 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4 0.72 KB MD5: ca420b8df45095683d13c782f4b5dc24
SHA1: 3ebaff20a05a038cf5d466f2101682893e25a336
SHA256: 6beddf231ff478f7615e16ac53feab2994c706e44babe2bd3c76027a8b2ad78a
SSDeep: 12:t/R3NlcUfl+CyTkcML7pRYLSjGtBp4DnnJPIknR3EvkewPC34O:ZREUfY9TTMHCSEBp4Dnmyh2Z 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3388679973-3930757225-3770151564-1000\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f 0.33 KB MD5: 2cb0aa735bacfb5eeec4225ca6e8d4b2
SHA1: 29819d019cf58018a3f21e1a9474f541121e4ead
SHA256: 9090b5238a6538b5efc78d0a5e66f207254393cc82f27b7b6dff42b361ccdd7f
SSDeep: 6:zfpep1I4h5Mj72fJ/IZzhalxmTmACFM58BFOQ8w/b1glhgdORaWkNLj4miZs:zxep1X5MjSVIZYlITmACW58BFDzClhg9 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1 3.13 KB MD5: 6cec177425fe2ff6703fcd35e372190d
SHA1: 53cd35503766097f9b1f31db1db551fab7f80d40
SHA256: bd86e2d2a59bc35c498a68d0448b23de123eaf6410cfd37e0163febaecacb641
SSDeep: 96:0JH6EwA34eKC/yAQO691xO5EK2SHC8b3kPj2rl:WHfdyA01xO5EsC8b37 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 52.99 KB MD5: cd6735013985aa25edd6d096fa8b6fd1
SHA1: 96251f8c9153fecc5f31ae0a3a235e47de999868
SHA256: 7c77f3c037f0223006b8654902e1dc61857c29b11f2357f77ac1e9fbe305df94
SSDeep: 1536:3sGoQtv6zA7fmNxTJ8c8ZTcdTS8UJOHGfOljMT+z:8GttAqmNxlCF6uPcHGmZ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E 0.72 KB MD5: 9c082b7b2fa90fd4c47cebcfabbb2c00
SHA1: 67a97ff1cf5f4e63a38ee69a1d22bbade78982dd
SHA256: 6faa31b00e98bbf8346ee2628cc60168322439ec493b463ab5f4945ae5de172e
SSDeep: 12:m97Bu/YkVTK2iNdrBCYPlzNemYb13XbWThYwNk6WyU1vjXEDaPy/fPxIGY:q7Bu/YkBUr46NemYb1HqYwNwyU1vnKpm 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\Deployment\deployment.properties 0.97 KB MD5: 64556da5481f1f26195723eb43c9db81
SHA1: b9589e80beb27520f3d32bb228c235c08685db1f
SHA256: e84b393e888f79c1e0f25deddaeaf0ba6040c5af9b3d86e85b522d548fb87d86
SSDeep: 24:qGAi1M44oA25VK9thdUZv/ZUAza5TBZvntlqs7MVJK07kx/b:qYes5KrKWb7vntlS17Q/b 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\lblfFpjevZDdPPe.avi 21.77 KB MD5: 60352f53ae775143b118d1652c61417e
SHA1: 63fcc1602742e8a038f5d0d16fe88d3d0e99300a
SHA256: e1472828e22643421a48a027147572bc7bc6835c308740f350fe6ec136d53a3b
SSDeep: 384:fN+DKj++1SIK51ZBctyyaWS7QjrOJXBRk5RkQ08J1vMzv+tDNk9sbmmhEhrWlmGW:fwIjkZB94S7W2XS08J1++tDNk9469omd 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0 0.66 KB MD5: afeae6a2fa3eaab43335b00ba005577d
SHA1: 86803aea0f147e2aad0cb7ac5532b8ec4f54be38
SHA256: 0f8ce6295bced1da782acad7c690b2b1a5aaddc1b17a53a633c62af88ef252e3
SSDeep: 12:jDNioVC04BkT0LVW7/fwUKxKD5jM8ByvnxoGH09hGO1zJsNhhAu5oD5NeZYjbFxD:jDNno0ukTtKxejM2o6GAIbNh2u5oV0ZC 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F 2.00 KB MD5: 2c8ea9fcdf0d9850de5a080172310154
SHA1: 5ba013b5a8b99d7db396982891e01380ec0006a9
SHA256: 3f28f5d34f16c03c59908d80b2b6e9f7200ea4b9c854565178f5295e4c5ad938
SSDeep: 48:S2zSfe2+BXzzY/IV0fThy5z0w37382rguxjh77:S2SfeTBDE/IVPoSM2rBH 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B 0.67 KB MD5: 92ca60a347b11669c21807413270727f
SHA1: 093136c7488ec473a22cacd3bc4abdfcf858e95b
SHA256: cab9defbc46444b4887c15c4dcc43eb1256639b1320bc165e4385517b8b35d1f
SSDeep: 12:gw9pR6EBK4c91ZVxsQsW8urSYEae4zshYEOLn4GkYW0vhbfbixAwrMHzeji9N:xpR7K4c91ZVxzZ8nYE4zsqn4Gk0JbWaj 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\index.dat 32.28 KB MD5: 59de546469f3fd5d5687f8ecc7e91173
SHA1: 48616d358862b872231b06d583c26f21ac90d78f
SHA256: 565d83aa01ab16a727b6947f42d90dfd83aa2c1610125dd55bd44fa73a3e4b3f
SSDeep: 768:eivkfo+Bj0YAulzcQeAwNMMWvUIaI1UZorkfOKne:eicfoWdyAHvUelQZne 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\05_Pictures_taken_in_the_last_month.wpl 1.05 KB MD5: fb4d7f7c2b268fd00e28edbbb98aa955
SHA1: 799459c4e72bb041c16e23e6eaceb34b1e919ae8
SHA256: 344f6e711af9a7623faac1318d893975ea2f158df40f45e0312d34030ed5f076
SSDeep: 24:YwW/tExklXGykRiKvY6GUqOix7YuKzgv8FwCILq3jEmZseWapou74:u9/kRij5xMuKkDhLAieWKoZ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\ZnnPZcdpTi1bKopC39.jpg 99.89 KB MD5: 116811e50c2f28068768fb661333151d
SHA1: e0dd603860a5a918847402e4d610c18f2146f76a
SHA256: 2548e22307e1cd30afa98261a381d0ac8417fd0cb65e5792b8349b4e36b32f4a
SSDeep: 1536:EBKRnuNYIXnAxTwl7Fn++bd1vBe+D4R5mfazBLPM3E2UiTPaiXT2LwYPZGYey7:MKRnOtpFnpbd1vBe+Uw+Zf21TP/IZGBU 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\3sfUL.mp4 34.67 KB MD5: 578157568aa8c6a1312d8e8dcaad605a
SHA1: 16aa31a0a3ff2eb79132f4c31aaece2f0ae3dd89
SHA256: 7bf4fcb3e0a9557fa3432088a8d93bebb27acfac8339b8db951dc5e773f9225c
SSDeep: 768:Roi6WirvTaU+SSLTl9vLieZXM/Ys3dzhmy1aRmWlILOj2:ivafL/8wstIeWlILOj2 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat 32.28 KB MD5: 469da4d15e152036ea2125fd685a0ee6
SHA1: 37a118a12bcd6236b1e5a9135ed9b41b68f690ea
SHA256: 0bad977e9858eb8efe9740aebe3dcc4b3ddb972c72f6f4ae0b35e4f2a765d43f
SSDeep: 768:QQvRe3bgwiCChHlYo9gjKgY9T0ofrc0ycLSkUZ21OGo:nEnFC0O19TXfrwcLSr2C 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect\SYNCHIST 0.35 KB MD5: 6dd123cfc926722d6832437ebbf2bf8a
SHA1: ee3be33299a1d6086ca5e1db964dd1373a159df4
SHA256: df574d2b195f32322f01cf178f0b253afe38244ac342700da8d056db48c875f8
SSDeep: 6:gNBq+i3bq2nMgJjHNAGkp4nnNauteuMc2HBKMXF0J2z9l77Ck3n:8qUpkjMp4nn8uM1B5V0Az9l7Gk3 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001 0.75 KB MD5: 671d062323b94adfbaab17dfb1aff5b4
SHA1: fd957cd99c23c9de65e6923432bfe5e9f798ea5d
SHA256: 6730b4db758ab9e6a6efc9951f930a20bdf5a76edd0c18e02cb64a5c42926bc2
SSDeep: 24:fhm38KSu5pXfZEzQlQ3hz7bpTc1Bm5z1t:fhSSu/2d79TiBm91t 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat 4.78 KB MD5: d495b8ee131a9e6f76845984617231f5
SHA1: cc0b0d08b51472a918a165b4758d3d83798b14ab
SHA256: f0125a8166af6dc443bddbb9a24823f3e5f762c85125f9bc82e5ebc3ded7d993
SSDeep: 96:2wBS++NhfHcIVwQYpPbE12rgZaojRvgn88xDlrQ6P3sCfEomhLBiYGckDv:/r8fMQY+jZaojRvgn83JizDv 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\08_Video_rated_at_4_or_5_stars.wpl 1.27 KB MD5: 46df8d7485c35a25be360e0346c7521c
SHA1: 98555e5ac033769f3bf28f8d98c7a9441a103439
SHA256: 42879d5e25e4be38422db693ee690790c10f5b2b970958fd337163880c97a4fe
SSDeep: 24:fojuoaM2oqvaFn4265akEInR35C44PDzhrlaMQxp7WGud3F9Yiwr:fA8Ra142oakZRJC48BxaRxp7Ki 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Office\Recent\index.dat 0.33 KB MD5: a3a2aad6f2c499ee3ba967e16d2c9c00
SHA1: 7556bac4a48aed6c7780621fbbb6f594e3cc40b0
SHA256: 4681eb41245be2e689aa41f5b147356376699e517bc704599455814be872f996
SSDeep: 6:X/YQjmmLJNoX1Q2ltWZg0a2ZqYiUq4+Sec0qo2YM8C3isovWTaDZhxFXwDTj11:v1CggXatZlzJqJ9qo07zTYhEj11 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21 1.85 KB MD5: 42bc4c546057a643ae8857ee81c93169
SHA1: c20ce3405abcbb91a3454740f08f1b6a3962e478
SHA256: 8616941f30815be7460f2f89548182238ccbd549bf2a37166c26fa1fbebe2198
SSDeep: 48:aUliVlzXlHENUo/hy2MypggtUQ+s805J44BlHcX7P:/UVlzXlHENh/I2jpg8/8d4Bl8rP 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Cookies\index.dat 16.28 KB MD5: b83fc9821453ca82678f818dfb1b5b58
SHA1: 75ce2d478473c0830fda15fa5c35d50c0ae35ce2
SHA256: 9c409a4dd4622d6d7a06a70c7dec44f5edb401bc9c35ad02b64a67fb8b4222bc
SSDeep: 384:Vn1FAfOiDNGMZO8bX3ITksSZXm+ryiD/S0bdpqeW:Vn1FWNROCYTkdZJ7rSRX 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD 0.52 KB MD5: a6163cc44e5cbc09e57ef763631ba6ac
SHA1: 200643aa7bbda57e79c3ba971cf5859146e5027c
SHA256: 6ddd08158dc78be3174ec278f01ef3386520d7c2471cd2d08f1f98d781917cd5
SSDeep: 12:Yx/9Mj+aTQXa5hOe9yq0rNUsFbCFv0KrhKHOcDo1fkpv7spT:U9MKacXsHwkrha01fkx7spT 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC 1.75 KB MD5: 60ef6dd21fe66f65958a535bd21f7319
SHA1: cda90e2903ae911beb6281038a6f4ebcbe49276a
SHA256: f1b4890c79e70dfb39830ad90af5f02bc36b2587cd3e490cf99bb46df0f421ae
SSDeep: 48:JyAibk553KDvw4txjdRSK7/9ye3fkVQOAfhzIe61ISLMaiVt:JFibI3KUWRSKUy9OAfR+IOMr3 		False
...
C:\ProgramData\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf 148.28 KB MD5: 730ac69b811bc9d18c327bb979698a7d
SHA1: d619b3548670d605cc922c47cc40d1972d951e32
SHA256: 6736efc7b53b5222f6bac47206b39b82f7a9ae8710ca5ef66053392a7d3c3ccf
SSDeep: 3072:rYBgWYpF4Zak158sxIuw+IM3rB/Veuj6W5uFNahC555a0womIZrDA:rN4Zak158wIuoM3tVeujxqNSC5rac7rE 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\04_Music_played_in_the_last_month.wpl 1.53 KB MD5: 58eb4f3927b8708930f04cca21ae69d0
SHA1: abafc0818287b833bfe2b5ddf79b3a245833327c
SHA256: e77cbf3faa58705db25f6a1c135460612f3d97ef4ded3e075fd391ead2775d5e
SSDeep: 24:+Dxat8zFk0tYSktzZT06YLhZjZhFenloSsg65dZyVh2gciU7MywFWreAVMOpJ:XOzFkcT7jNSsg8ZyugfoiMeAasJ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8 0.69 KB MD5: cef15859372bf467182af8d00184b3e0
SHA1: 4f39152840fdc9217bdeeb37658fa43749daaea4
SHA256: 0a16adde534f6d574ed01ca11311ca6472ca73e1073f097e51301294267532cd
SSDeep: 12:MJi6cfSWtvM4H5HTPhFzFm1DbFGYjl04VQW9yF6qlvCzLoMsVVi6Ns5unF9EKX0D:qhES835hKFFGYV39ovCzEbVVrVnFmXNZ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD 128.28 KB MD5: ef19efced177025e3004ec738086067c
SHA1: c8d0d3a7d26709f2dcacab706301021062cb393c
SHA256: 4245e592aaf68da28e764c2b18d67b76452608e851f85055ac74915543b830ea
SSDeep: 3072:yyCXyuj/Ar70cZ2OmWtxR+vPUvFlyVZTCAQAIeE:yyvcArYcsORxR+GF+G27E 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\hlot18E-LD.pptx 36.72 KB MD5: 751cdae0709475d734632062b5f8cba7
SHA1: a430e5aabb68e85e7c4a7d3fd50844ab3ad24564
SHA256: 28a4beb6aff848937c115ef547619ebac37654746f769c2a41dcc5b56006a8c8
SSDeep: 768:b+CqGOso9e2w+ODokRMMvhWJxekK+4AFw5dKHzXKjqW:b+CqrKo2xAxekHZOTEzXK2W 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Office\ONetConfig\350db95df4cbd94b2a1c300510e12e11.xml 2.25 KB MD5: 7d3474c38c87783de12f41c24a9f6e36
SHA1: 9fa28d36646c4f3d4b18a6013c4542eaeda12f1e
SHA256: 4ffcca52fd4c50ce9dd5fbd2f95e7a53568d565f5667f34ac543e169fc237f1e
SSDeep: 48:OC11mFlgQ3azZX2+QYAxrm129k99xqXKn0SXgYYW2ValQyE1:P1m0vQYGmck9fqakYvU8Qv1 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\jashN -VayPDgA m-_.png 60.96 KB MD5: fe29cc12556da146be5e2a140f61f5ca
SHA1: f38e4eeca90cce375956424b3e2d4c33a6e4b558
SHA256: f0a3fef2b9b8e671201ae6a98e91a866b4cdef3fcc648d6a78cb9825c1a48c4c
SSDeep: 1536:SnQ283BIcOkfUatXje9C4vvZd1zf26yTIa2cyaEsekiPk+6X19q:SH4CcOkfUCjjuvZd12f2cyX9JPgXq 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD 0.67 KB MD5: 7d91f90886012620ddcf4b5886875f6c
SHA1: 7304098d5fc8e53f6313d64a7e0430e2c22fbd43
SHA256: 08a00c1c5153a2164ed108b6349181ad6b750dda0481982f4e8a2a202551c084
SSDeep: 12:sSH1/1KiCgihm+ZrFkj9/SI3bq3UOOFl4jdI1Eu5lYO+SwDWRFB0s3O0ROoi:X1/1eZK1SENFlrCMlYdSwyVf4P 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B 0.74 KB MD5: 6383c16834e455ce6b8c1f44959a3a1d
SHA1: d290ab17f0bb620a767ec180f8c632e67038461f
SHA256: a7062638fd46f64e19580b5c2d2c55621149372881d3971cbfa338727f922f80
SSDeep: 12:qcubr4FObqfgX3mVNala4W6X0XcZbcY/zIvt5JFESyZSkk0rqn9W41Vc1GMgC9NP:/ubFm4n/a4W6X0Xc5xzIV5ElBw9uNl 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 0.74 KB MD5: 2fa56c49ef06f2ef3745d0dd2c016474
SHA1: cc26eb99c407f4b8e3e7b0dd27e274d60c118a16
SHA256: 2a08b329168506ac62fdaa40458efb48ef1e4ea225f5e974208dff128dcef741
SSDeep: 12:oCNJg3zQby5NBd18XIpmmmTI0DI115NKMOOWOMzyHKQxdJPi8hA8suwnO:riQbQBrYQtgI3IOWOMzyqK0nO 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E 0.66 KB MD5: dfcda8fc1e417f65c74144b27f98465c
SHA1: 04f54a661aca4db4a4380275eee7bb0ed9762f73
SHA256: 94bc265efe4647c3ef1820f674d6b92370aef69839b0b9bce53c11b4f88608ee
SSDeep: 12:GS3nbIk8HKElxKEEdhT4v9op5IFvSlIbO+b8ldZGaF2C7vKNo4uV61IcQuEDSvm:GS3nMk8ZlxrEdO9U5Ioy38l7FhLyjScE 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585 1.85 KB MD5: d2697f888ff4b69dcf9bfb5b3237ad22
SHA1: 522350ddfc88b73d83c4e9f98a27ec79ddc03c2d
SHA256: b00e2037b0b2e958b4db3b38da82e51bf919e4540e8f86b27021a73649ac9153
SSDeep: 48:h3S+obqRlakIgGkc+BAGZfhg8XWTtS1+O2qknVqXvWPw:h3bVRYkIgDWTxNmN 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\1qNgFKhx2-6cl.m4a 73.53 KB MD5: 87cbf00abfb7d1b2b75b352c90b58808
SHA1: 603d6c848d3a8b71a304a011cd44276418af59b8
SHA256: 9fc0f83e294488d0d63ca92d4a5b773932a81123ff0f5fdc9aa68c1c9ea5e2af
SSDeep: 1536:YstW7ezHz0Lb/lyTRrPezh+MDTbh3oY8/eVtVAfzlMx:Y6NzHz8dyTtPezh+Q3oV/oofzl2 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E 0.66 KB MD5: 9515e816d07e585a5d1725fca8af47cd
SHA1: 8842ae2f2c89b92b52c2656f03c5fff2a9bbc531
SHA256: ddc48d7a607c788a255b62cb8ff2e4bbe0021020362bcb44d6c04c761ae8dfea
SSDeep: 12:QMj8sY+BsoXn+XbpTDqOp3FJDDKc0bU5xMkw3ZSvWVVnIW67learh8:QisEsoXncxp3FqsMv7I9kara 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\01_Music_auto_rated_at_5_stars.wpl 1.30 KB MD5: 38be3b0a69b6a1772fb317c4294cab82
SHA1: 76b1edf8212e0474e95ec5f773f0a33e0044f36d
SHA256: 6607453cfda2a6b9751eac9e9c2f474d20da9b186c8dc3a3f9f4bac2e251d08f
SSDeep: 24:6e2LRtnzGRcH3z+tcuHkD5IAx3s6ArIiuOuagZ6LNjbB8xF:6e+9WHC5IcfAr716qNjN8X 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Visio\thumbs.dat 125.28 KB MD5: 720732af05f515c836d67de93c5c00a2
SHA1: 554d8dd7a229f556012086639c0e79d1147be3f2
SHA256: 5d9eeb03f83e009178fe37f968fb273ea30f5b89cec168ce905da4193b43fd7a
SSDeep: 1536:5N6TMWSOhHwqUbs4b+AOQYJpfsU303TmIH2Jf33gIwPZywqRrVEpaEq9iQyPfwBu:5KStq8zbtgUUkHH2HlrH9iQwfz2bbmx9 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC 0.67 KB MD5: 36983d8f55c9a5e383d581a2fb63ca5c
SHA1: 95525f10b96b41c967e587f1d574ec95911fb321
SHA256: 72027b1c3c4ac176c70fca59ba9005963f185cfe44fafe403462986b345b543f
SSDeep: 12:SOV3P+85w5Pkou6jEZUiSKW/Qb/gsEm0ZP6q48uzpOiCM/p5ov:SM+iohQSQlb/uvxQzpOc/8v 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\1E1dS6vmH VPJ2.ots 89.38 KB MD5: 78153427187dc8646297eb0d50f04fef
SHA1: adbd85f255fef5379accf946737e5ff743850ce4
SHA256: d59ef5522b265573925884ef57851752e0b2d2880052deff6e766f72bdb02c42
SSDeep: 1536:XLaU3a9xENatNiztpQdRQSpRV+0gRkxFrCEvgLbd1mV9e6I7R8oR1mvalXW:53jNxBuQgV7UGtCUgf/mLI7RAaRW 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Cf2gB2yGZCbU0T.mp3 76.64 KB MD5: a66569de55259832a554390c54c4c9f0
SHA1: eecfabae9c7dc9a23bdcef51aa136ba04e03c04c
SHA256: 7583a4b7aab6ffeb0af90113eb274f4e645b1d700c5734583ad1ad2933db9998
SSDeep: 1536:ndzJdUMjmiK6lvhZh+9NRq+tQHMoFO7HtV9ypc/4TswthTkJx:hWl6lvvhs0+aHMoFO7NippTfhS 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb 68.38 KB MD5: 8cd0421493008055778669f29c88319d
SHA1: ee02ba1b5d0f7405e75f5789b3ab33fe73f2b191
SHA256: 8624d07a3bef91ef82953e26cb5d49ca3999a81f0529b8987e0c81ae4cfcba87
SSDeep: 1536:ja52FK/folmroxWRNsLhBgN39bEn0UnezmMGxMow:ja52Afr8xWRNihBoin0jmm 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\History\History.IE5\index.dat 16.28 KB MD5: fe830fab1abe8203aa1a8323d2fd3243
SHA1: ae3f2c40a07090a3fefe747649f2467346d55a96
SHA256: e8a029fb530bb611b7b3746222b59e55bbb9291e46722688177fc839f1d50b83
SSDeep: 384:7hxczwWREt88BNEvwP7Ox9rdGOYtXvySTk78g1C7fm:NupREtzN36x3YlaSos7fm 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150 0.78 KB MD5: 5bddd9dff81ae5e79c19a0da4efec0e2
SHA1: 5ca3302fe0d19e50b588b13e71f8b81140580a38
SHA256: 3398c6500f0354b8eb3304f0a15d2d89c238e5d3ebb1c16c782300e363296312
SSDeep: 24:hLSQc3PVyY5+unqvRnbkIYk4x/CLD3qWMBtQ:e3P0epabLYXxqLbq5Q 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Adobe\Acrobat\10.0\Security\addressbook.acrodata 5.55 KB MD5: 00d3da2f266de9d5139b2664a013a65e
SHA1: 60cd3727487a1c9fb207ff6370c3e4e565a558fd
SHA256: 952523e0141267b0d26ea31263e91e1d108911ff97cec26d41638872ba9ebe97
SSDeep: 96:LhXgUinZMhTkMXsKL5y+El7rg3tduzbxzeU3wWrqbGqoDOo0qat0eWwgC:LhwUIOdXsKk+srgbuxB3w2c1huTwgC 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\F0TlXw.mp3 49.55 KB MD5: d22424bb585d7f436f962c633da380e0
SHA1: d926950180474e546e55416a9651998a7b7393b7
SHA256: 2c800ca7d2164e69db8e60cf1623d41cd16c340c409675a078ffbd74bbb372d0
SSDeep: 1536:+K7gIhZRYOOG6zYdrZC4zn9q83HjURkHfHmYA:zhZRnOGpzn4cDURklA 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\QJTzqf_AiR6AdQv.wav 46.55 KB MD5: 6c017b69d2703784b787a0cf9f786425
SHA1: 2928819d00a48049fffa68fe7b6d0ebf4e50cd15
SHA256: 617eb18546addc8f79e017956bbf3fb09158dc733a371b1bf9f327751ee4a4ec
SSDeep: 768:OdyYQ5s5yS4A9fP5nZQhIY5DRtI+npOBxZicj2vqNrDjIgdv93Lu0USLCr:6Q5s5ygfP5ZOjLARDkABu0HL4 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450 0.74 KB MD5: 909ec588296605c9e25e631b90bb047d
SHA1: fa1b3a88f5e9370f79d703a14e66c1cf8e585b61
SHA256: c909f746a8f578c21511a1427200fbae11a3248fb9d8d33610890bc427452080
SSDeep: 12:yKUI8R1IEKwIXaY5yUeivqKS5tyUdsMRz41dTLkRUEFq0z2t9rdJqxIhnKX8PnDy:jq1IEKnR5yOS7SM941ZkyE7GpdJqQl7y 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB 0.66 KB MD5: 3685dccae15b75a35cab36dfe1d0aa96
SHA1: 090fbab11001c023ecbb08047b7374e95f49b2cb
SHA256: 88bd4f832e1ab307ae36aa06f7a03aa8b57b8d7e289c9e238ac635619ee227c5
SSDeep: 12:6kTpv7YmsXxeScisKqrtjyZKWfhxZ7fL/KR2nIeXrdLhEutk3rjQTXB3:B7ZAxrBIWflDKiIe7dLquOAjh 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8 1.86 KB MD5: 42277b41f81ff805ee3b80757fbe3b33
SHA1: c1c765fe5782ffbf85ff673ea0d4d4b66e5df986
SHA256: 9298c5546c117846c3465a4993c2669fe3af682538bb9cc63d8650d185aceced
SSDeep: 48:jtLl8UIatp9546qXQop1TgMI4+rqLR9wpnniaTgk7foAMh:jtLzIo5wrkMLkErCniaTgkz5S 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\mJ4 yRHwC_3TL.ppt 25.25 KB MD5: d00702a76b57e365cffc7cd96d0f3221
SHA1: 575de96babe99e5dc922def432a574fd8930706a
SHA256: b906730a1c161db4825e2643281e7dbdba9cd9d58a4f590d593148a5cdce9bd4
SSDeep: 384:EZ4dQXH9MhJSZ2CAE6/LcxXa50m6AktHTr1efdf8DwwilUwvjq0pgRMS1o5v9A:5XJSW/4qD6AS1iNkklU1ZRRo5C 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6 2.00 KB MD5: 440bbd18f18da81cd9e5d4819aa64005
SHA1: 66c3fdc9f3f00e9ce6c5edabe803060b91a73008
SHA256: 333a84bee341d7047da25b56187c00a3585b3fbdab879510a4ab63bf2a8dcdb1
SSDeep: 48:/6aRMNGLkiiSiBHE5cjC4JUOIJAPkUlME0:/6aRoGLI+5wCS3PkUlME0 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Templates\Normal.dotm 20.42 KB MD5: fde03ab9ee074413d78e066182a1ab53
SHA1: 6b6a3b0c74162f9dc06d2e45432581b1b9d1b939
SHA256: a7833839865f5f5b3786766c8a67e301e4ba4aca2a86c790de0ffef2aac5a202
SSDeep: 384:v/qBt2odFPNnbsz+rf28b2WHSmsakxbMEMyt5AWmyEfPG5ixQtVpHfbXeALeNPOT:viBAoD5bsqz52WyVAyt5Lmy06ikHfbXD 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\01_Music_auto_rated_at_5_stars.wpl 1.30 KB MD5: c6bbe9474f13839cfc60ffb58be667f1
SHA1: af5f253bb412052460af486199b23da5a888b0f2
SHA256: 15adc4136a10fafb9ea265fb7fbdd6a1cb548194f7388ece9aa5a1192c2fa63a
SSDeep: 24:9sQZmogJFVvZd2pTlQhDIbLMup2Qjp/u0Lg/8/Uv40ImFS3cMga6xTlzBju:6QZmoE7ZAp2h0bLFv/u0LW8cg0Rc3Vgy 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F90F18257CBB4D84216AC1E1F3BB2C76 0.81 KB MD5: 5bb5d37a09f76d483406145d736b7e95
SHA1: a0fd94afeee03b9f24dd1c7d352e1e2d2848af85
SHA256: 74ad465b77e0e5f807e20af51fb0c2a558d81505c5b151bd16f2740e4c02daf3
SSDeep: 12:yf9lX4GTBh/iE2Y6zVMIJivBlhPq+uM8neHB4yY3yGQ/Ow3sF2CwJZxx1c93jyWQ:alpTTXAV8ZqI8eHd+bw3sFb0ZxzATyWQ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.dat 32.28 KB MD5: d797277a8078c9cc67160555656d912f
SHA1: 29e35f7d3fc520134e34b0c7736dc40221a59b40
SHA256: c4725657afa859276005838d78961857b9a73a03c5605777dd8cfa5cc13e81d8
SSDeep: 768:m+Y8SToMeW9NCGXqSwMdYo4C9wUBL+6BjjUmATcYRPB:5YbT/rXqLofwcLNsmLYRJ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\3MWCQdlfuvEzl.mkv 26.81 KB MD5: 091ee194452abdb80fa21b17b7a71297
SHA1: 906920dcab407c879b31882fadad4d7279a34159
SHA256: ac0935a8d4ac9427d5d47d85770fd7037d56ad0b16bc036bc7acb3f33f42dc19
SSDeep: 384:8cPH+AR0gTVt3Z0oiEpdylagMnDV9yKr7WRplpSpj4Zk9U0LfHjTvgBDGsobnfMC:lHVt3SqYUgcJhWrTJCbsobfYe 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\ITY-CIAZN62NhyYq.m4a 43.13 KB MD5: d0d1417bdf6e63c539e7082098b9fcdd
SHA1: b679640b8650d75e0f562f466a29462fbf5ce401
SHA256: 20c7f3be945d13c7bb3c08e8245677dca8519c9fcf919540f5aa8ec974458a22
SSDeep: 768:FnxretFEicRQ4Jkq+Hc0vlvBH9TH9sgceKJz0nQkdew9OcYMzLPBYwAGDBjXd:Dr6T6Q4J9Ic0vlvBphHKJAnLp8cLYw5L 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973 0.67 KB MD5: fa569ee1f31873114acfc4a74803eaa7
SHA1: b3bce3d00a2a04b9ffb7ca4b82477bcdb7418b20
SHA256: 773dc178eb6aafcba5266377fbd5c9b253a941888412f7854cb148d605d8e51b
SSDeep: 12:N78DpV3P2n/fjmkbKNqcuerhuh5qzU3c4XzjcVZTJsHTy7c:l81NA/fjFbKNqaObc4XzjOZS6c 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\0ir7Ld.jpg 2.19 KB MD5: 964440bb07337c2bd8ec30acc94edbb0
SHA1: b3e802f831b75dce341a4359c946e1ba840ffdef
SHA256: df57b7ad9fffaa8fe04b11a41b872275bac69fa2feb19da421745095f0cc8dac
SSDeep: 48:nu0zG+3NmRHRpueACmji3Jz/E9+MO7A9CezzDdJdYbwY5xvG:nRyRHRpFmjKJzdMOc9CezzDRpY51G 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\11_All_Pictures.wpl 0.85 KB MD5: cecd2a0eb021dd494d34a98ceacd0303
SHA1: 49fe5c9b44e458b3a73621e14cdd893d57d19557
SHA256: c04676e16a11b2ae3ac1ed486b0479e2748a165c6b1904a7a488e323e6282e4d
SSDeep: 24:Oj8M8Q10/ZE4BSfsTpvqkoZGExIb3Pi+pQjdTtn:OUQ1GO9fsTproZS7lOhTt 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat\10.0\ReaderMessages 8.28 KB MD5: 72e3723d6f8f65d810bf955953150b35
SHA1: fd6a6fadbbb9dc99ab380a0b3c69ab364f9519e6
SHA256: 3dc7fbb13bde2e7f5b5e4225c30eef6c378d642e8f4a0d6de03737623890d525
SSDeep: 192:U87t4LJs2vG8puKZl9ONmW1fXz0XGzDSPsz:U87Ys4GJKZeN5XoXGz+Uz 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1 0.67 KB MD5: c35063dd7d962493378723bca314cf18
SHA1: 7fd41c7e958949227686e713093bb0bb2e1bb7d0
SHA256: cb4150242d42e83b7258c18fbc12481072631d95563d593965ae795604fa6edc
SSDeep: 12:SKTsLqlp5CBC509m6CaKTMg8dD7tXNq/Hk+cYcEvHIQpaibPDaugQ5HLKn8r:ZT5Yc52saKTEB7+/E+cYcE/IC3bPDane 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\f9-JCP-XCTviVeReJ.png 92.72 KB MD5: 6c0ca3c8b179bfd23488f1d5adcea74d
SHA1: 947750732b364c01b5026623e0d4876a510bb952
SHA256: b19e4d960f816476d17dc1f3ff22d4d2566fa1531a34f2aaeac2195b15153667
SSDeep: 1536:HmjNHULr+2lCHx66LZDp5r+2+9jknJ6rbaczqkApLzvEP4/JYY4hHidgpwKf/DgY:H6HU3+2cZL57r+n2wHaczf2EgSYmidgn 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9 0.67 KB MD5: fea9bee232e6635d8c2adab1fa9429d7
SHA1: 2bd6cb10ddcd194cb8d3263d301ef40a92df77bd
SHA256: 2f19c99c02d1acf4bdec6ad3a87780c9eebef6048a0ad79e27d658d66a52acb2
SSDeep: 12:obp8zre99yHVWOWK+hewd6G6QQrIRTEESVbdS9+25U7S9xfc/wp+n:oiBH+hewd6GxQcRTEEkoH5zxhM 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3130B1871A126520A8C47861EFE3ED4D 0.49 KB MD5: 3e14795c0af8b211f1b3fb8aaa2a26e9
SHA1: 2bce19e57ae8ab076cf20e69fb125bbeac3bc9c6
SHA256: 6e4ef309d5008050382d7fad7844218e74ebb7a6a7d3bcccdfcec75112bc418f
SSDeep: 12:h2uPbMbUwL69PKWNUamMSAUKYy/dgA/dIaQD+ZBBskSjn:hbPbMr+9PKWxCAUOrduoB3S 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30 0.66 KB MD5: 5b09ee03d34209c828772348c5b6d4d2
SHA1: 90f6006c37356a50133d33f6118e512ed2f37f94
SHA256: 027e82a90bf4ff10f9782cf1a38c91d2cd75e6df527bc780099fb4a13388642c
SSDeep: 12:BCyug+71DmAOkB2eWXlVIKVlAUmsdlHIK6d19upC3oL4VcGWraopcZNKZwyjq:BC5jDmAJ2ekwUmwHIPupC3okVKNc7Ewz 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D 0.67 KB MD5: 6914f675811449d7b9590e57f4d8f39a
SHA1: 7288c2d1e4c72543db9a1516bdd83adbd7d0f7a1
SHA256: 5c360489c064b77c5a06a8751e1653a2ff3173f355d54604be0de0b24feb2fc1
SSDeep: 12:5g3+FCeNAAz1ULcdTDvbQwSv3peq+rSFKqYlwbjZhbtDleTiqbKeikaT9fpfL:m+NAAzk6DvbQwSv3gX8zZhbx6iqb8TNl 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\NapLd2DTycPw BeAC.odt 53.35 KB MD5: ca48fae4e5de4fe88fe693e5c2559b47
SHA1: 1c0eea0d21ec7da4bd25e96e0df3856a03442333
SHA256: ab14ebd54f11fc0ce70be8c36a967e46e2f13cd48206746a437301b3636e2104
SSDeep: 768:PrJbhwbbf1crrVZgAXgXgihQHcTrTPIBt+2eQ61FQXXJ0gAaOmscT4F4z:PrJhwbqrrXK772t+2v61OHagTT4F4z 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E 0.72 KB MD5: f83062db10898fc79e9bcccad895481a
SHA1: 5eab9485460ed8b9516d779e32900be64a194352
SHA256: a9726755338057bd23d2b2a0c37055b1db75252291c650dfeff01a39a54a7212
SSDeep: 12:4Of2QMq01F04+J1jtUiynQGEL+K3aNVv0emRyh6btUrYPNXgzdLP2k+RlD32lGl:4w8b7/+JFiWoNV8UetUr+QzZ+k+Rfl 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061 0.66 KB MD5: d41384bda0859af4e434003ba62b43bf
SHA1: fe74af9217bbd2a3f341c7c988068a1e7d1d4392
SHA256: a7905ff1ca98daa5adeeb3627f2ad205c854ce494c1d64b40f91453a94acc7e8
SSDeep: 12:VzI2+jqj9uhC8d3k0f2PSMDxG+GtTlbgW3u9iTfeARulEzQhXyaDYNsc23xN/6Zc:VzIX2j6C8dAPSkG+GtTlbfe9Efe4ulEO 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Visio\content14.dat 99.50 KB MD5: 8fa9a2a5be53c3baad1c39e24169e85f
SHA1: 9e128948b96799640a5857a64d8489b3cdb96ceb
SHA256: 887adc2cb68ff40449118b13093f52e5442331ab85e7562b5c6e6c2852ae6820
SSDeep: 3072:STuPKdEaevScLTtCyBRxx2PvcUSFnibo1KmDQGb2D:STuPKdEarYHXnLKpE2D 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE 1.69 KB MD5: c6dfa29bfa8f717623ff1b5031fb017a
SHA1: 315781b116b8f98bb30ab7495e8c68de39634582
SHA256: 594b92c122b402a6137a0bae4fdcee708680fef86ed24d685a0e0fba606125cf
SSDeep: 24:ejkAijsrJDMevWI0hsOG016j9XDHSysM2vnTCa+IOCjM3MIpJfRueKfX58rs5TtB:BzMhOI0hM9TyTJ+IOHLpta5FlvsYT 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Office\MSO1033.acl 37.16 KB MD5: 529d3706a2e1058b303a16d695602cc7
SHA1: 0b51eafcf51b6b39fe53af63fbb063964a9a53ee
SHA256: b4cb5bab288cc896a50e70418616343f20c9d13f34db6301ea196b17db99c1cd
SSDeep: 768:sgqWVPrdsKLA4LiD8+sJThXMVfAyFBPmT9Rwq6yzt4rF5B:3pVziemDNsJhwTjPU6yarJ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\09_Music_played_the_most.wpl 1.28 KB MD5: acccd8e458ab4708fee4fda066ff9a56
SHA1: 47a906fbbbcebbdbb13a998c1dd08ad04c4a3f8c
SHA256: bfd2889b24ad93a30ce42be04e898106aa64f82d29fa4b7ff8048082d3b5221f
SSDeep: 24:bqCtYxguDaHsD7jyPcItAoq6O0/trau2PFDavP1uAEvnbOgTomlSdq:b3tYSPHsbyPcIt5z/tX2dDDvbDs4 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 0.66 KB MD5: bf1a2b22f3cd7061ced7ac67c043ec01
SHA1: f61fed6d2106496686f39d9ff5e8accc74cf1bb4
SHA256: ee37ac1133aa2ae9bcbe30a6d98ba82eb2f1e239bf0043e76785c57c2f8d7217
SSDeep: 12:Jwb8mielEEGxI6+sRvInfhQs0AxgVMualp7b7vlKY7aMR6htiTaf5mL23EVP:W612CvkV0Axgolhb7gYmM9uf5mLii 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E 0.66 KB MD5: 66a1ee094dc12ce7d45a7d127b664304
SHA1: ee6a1ba049ecb3534d08e1e81c2deea80ca7b6c4
SHA256: de2ce91c18841993ad55adf5598309ebad575c1852f19558d6cbe006a2785782
SSDeep: 12:H0Ig2Gpr2l/xYeJ3dMIrMUZFnuj6cubd4Elf2hantSOOU5:HY2oqj7v+NVEltfOU5 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat 3.78 KB MD5: deec410482f7bda2b9d34b18790554d8
SHA1: 33bb4268364b61673254bfea2a0b67006172577c
SHA256: 89163ef708035b6e9c53a3efafd7c7e820bcd19ae59072497a9b5c849de1624f
SSDeep: 96:wG75x5hB4khwRCzVuuFhNhhhSy55O1UNm6qJLHp5AN:JVHPjwRgFhNhhhSyLO1D6Up5AN 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\SeOx9Vq35cBW0Hf0.swf 22.50 KB MD5: 442892e13da6322810cb16dc745d62f9
SHA1: ee103ee43b2e8086fd64499ef244ae181e1f0b30
SHA256: ad43e7a2e96cd6da8482aa3fb5e75c3bd271db60d88668563918768e893857bc
SSDeep: 384:iKSSnoa/fkj5nqRGJfSfXFpV82ixgPd8tbfsYz+0W1gDuUI8YFMrEikShzn2Bo0:iOo2fuhaKfUpV82kDsYzTW6Du9zqrrk5 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC 1.69 KB MD5: c8caf3938f868615550fad65194578c5
SHA1: 995d1a2cdd788427ed990f4b3f2d1f2e51885219
SHA256: de9210d3744629b2c213de17db07c6a2ad8868205d12278609f209d9a183d2d9
SSDeep: 24:QzZO11y/B0XACjH4krlG/WYABToGd+bgrEdHxAT+6TMmeEqLWp8DZia0puLtvOsY:cZO1rwCjH4oGXABP+bP8q/m1lMZndZ+V 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF 0.39 KB MD5: 7344237f587293da73a53279eec3cc7f
SHA1: cfbef72cceeff9faf58c2d51c14049fe163caa6d
SHA256: b59faec78b0e8611acb2a247d068bc8e1d51cd6bb2a28a251e1fa6d3dc171a6c
SSDeep: 12:hgABDndWpFgJ9L7QOMohyPOiYht52ac+e7Tv:CoUOqOM8yWthJG7 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\bB8DV.wav 69.19 KB MD5: 2183b16f8234e722e6aad252e2abc114
SHA1: 1f41ba73d42e8e8da9bd9fe169949024f029c980
SHA256: a301641f4d960287df5c8e5da7937ab20035dc45abc5bea7414451263f69189d
SSDeep: 1536:h4xAg48jbPffki70duJPPY5ftaiFwtUSF3zYOtRE6U:oAefPnl7Ou8fta2DSF3zzdU 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED 0.66 KB MD5: cd427b23842be67b0756ed73bbf8f89f
SHA1: 4c1334b887eee66c2273471c4ac9db9f7226e825
SHA256: 6d7f5116451fcae73ca063cc69033ea5bc68577aa83815bdca09ea3a5c610e26
SSDeep: 12:OJt+ERkRNEzWY8ldhtIBTn9y7iaZRYkbPQ4Vwco/PLxPB:QLkR2t8jbIBTk7bLIYo/lZ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7396C420A8E1BC1DA97F1AF0D10BAD21 0.53 KB MD5: 60f892b79f2a193f98b33fd8c9c51df5
SHA1: 365996fc0eb4158d665e2644bff1af83ae5f7bb6
SHA256: 2347d13ab8797102c611a421b94d83b08910e6b37d3f7251af5f8c4bb3cad379
SSDeep: 12:6K6A02gR9ahgaVbB4zJuNmIoCtDVb8NIcm8r8HF:6K6l22CbB4UNroCtCIcmPl 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\vjSrSm.mp4 58.69 KB MD5: 45fb64fa3bb3d0d4a73463aa1efd9078
SHA1: 1d6a2d08ba8f9dc8be6aa31a6c6d8cc52982f2dc
SHA256: d72b41b09426ccd8be89c42654c94a15279f84beb9cfc7b5bd1e1eb16245129d
SSDeep: 1536:cgLsQpf8LU8ix9NBx8wCOQeLhxdFBOurwn/tbzK1:Zjp4U8MNBNEOhxQv/tbG1 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 0.74 KB MD5: b7115e1486fdc3a038c4bab9e37a1610
SHA1: 31a94c3228d47e60adbfde4df7a6723372e58645
SHA256: 70d99895ac6e725ce4240224560f9f1d71357a3d88043cd8a7b18f08f365ce17
SSDeep: 12:DnNG6Etn1VHSSAARKZ5CEGf0QSzcn50twSZrnju7+Kz9eI1fGWiUGDzJBq/JWcr:DnNDEtnACJSIn5TSaL15Knk 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT 16.28 KB MD5: 3f17ceb391a5f359991f43177e8c7a9d
SHA1: bffec6a8a773c8e9bc4b2f0a325633e91343fbcd
SHA256: 0c056fb0a04b690ee6eb33dac68e56a888074cd63a63e44e4848121bba3022e9
SSDeep: 384:6GHSvGEBXYvaDAWNNkUhEoNk7gFes/L1bP569rFwO3K/6oWvB:6GHSvGqX08NkUhRakF7pbI9FB3K/y 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E 0.72 KB MD5: 27e9c7d61d0be6abf9c532369daa7615
SHA1: 953bbe9a2be241fa643e55a5deffc19b0fe5e31d
SHA256: fc4d7c5737b5d19e198900985a0fd94300dc71685752c614d5a1604736876e38
SSDeep: 12:0Q5soODd0IgAGmDF+S/uUBUtCDaTstLId1l2AuaUroJaAV6llRSYOGJi0zAKqF6X:VsbZ0IjFZfGRstLq2aUJZsGJi0cKqF6X 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect\S-1-5-21-3388679973-3930757225-3770151564-1000\02540a10-7eb7-4b20-a8c7-470f8986389c 0.74 KB MD5: 021198e7befe971ecef1e18faec6df95
SHA1: a12cb131bdb81d5503c689af02676a6be91c297b
SHA256: f7f4ba6b6b3d7ee590de80052a171c70c468418144d09611b09f8a82dc7f9422
SSDeep: 12:h+ZxKGzfoC5na8ATIMLcK/22lQh45eiDTa+40YmAPmKTT4loF/BUUbUbc0duCHtX:oZ3xi0Gck22lQweqYmA1TT4leZUJc+5 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\10_All_Music.wpl 1.31 KB MD5: f7d5e1b111c80e440c2f4bf85b068cdf
SHA1: 96fc669a285b1a4c1573afa0f1ac844ee5299709
SHA256: ceaf2561989988e31bb116a22352c05c42afc2e3d88ec3403ce1089289539452
SSDeep: 24:iPdXiuK4E+UcMZd/Jvu6DktHH3EktR6EzedXG06uGmpqE8i:iPdSuKyWAn3Eu6l20vGeqM 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\e4a9vNOEt.avi 70.81 KB MD5: aac95ca1b8ac191dc193e0d0d56225f3
SHA1: bd1c4763e8d4932f5f2ce0f5a2fa515b518dcf7b
SHA256: 96fccc6c515a7f966aee5d12e44a1bb23d6f3491d3d812b5ce6cee609b813428
SSDeep: 1536:g7vd30DvlBcZwoTNTwqWi/V+96NBfKqWMditJ0vh07iqV:cvcMZJTNTx3V+96uqDNW 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1 0.69 KB MD5: 9628a2e341e0a62d73a5e3dc56aa1894
SHA1: ae1764daa05cd9a259ea30fccc66d49674ab4746
SHA256: 3267dd45d4e117d7a18b19e790f6dbec13c488e376ec93b56390eb65c3ce3acf
SSDeep: 12:n4OvmSgY68Ib9zrBrWsFJHJTr2bMrwBUON0WUf+MtMANT8gJ+2ra:OY6VxvpTrPrtkTUmM668g7a 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 1.63 KB MD5: 4577e50f8d3919396e6821af66dccf04
SHA1: e3186694f806380e7d0b65ad29f5e8951f1ac112
SHA256: 5356a5d9ca5b579fbb19b34c455c4d11c9e3ba769dcd9ecd2d1decc2037ac6b9
SSDeep: 48:pn+6g+PG2L3t8FdwuDZTFZuUE3joNKDMEaY:pvt+zwuNTEzoNKzj 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150 1.75 KB MD5: 6cc8994615e127c820644c8d30b15795
SHA1: dcd75efa838513bb7a158ce975a9b47070095bce
SHA256: da3ee7d055647d485092422d7bb15a4be07cd3eb1ed51dd641cc753b7868152c
SSDeep: 48:siJd8VqLoFAZS/RYda1SRSQjgZkl/inpr/2Ts4a6HgUi:9JqVPyfQnZ2TbLHgUi 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9 0.67 KB MD5: 04ded97832acdddf673b782a5b0f6f3a
SHA1: 587f4043080e52078f27558203e0c9d57e1633c8
SHA256: ae7eab52d7b7b081de38e2eff7358b1a32f873d04bc7f7c618d51e7141e5de63
SSDeep: 12:gXTWJ9MxqhJGsmxmory95jrNyhcu6REfcKTECOy7nVq7URzdM3kK1wFCDkq7N1A7:AToM7Q95Ehcu6R2HJ1nV/MpCFM1D4 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\D_4_1U.m4a 30.94 KB MD5: 317936039822c8fd9ede02e3d9a592f6
SHA1: 860f68ed9f58dc16631fa55cbc986a6111fc8006
SHA256: e85b8322ac129c4347f9c7866ef404218fb0cf805e56db02f779d524b3e799c1
SSDeep: 768:6PQVo3DLtb83L1vFcodOa8McvulA/hlLRoB3hsP8N:6PQVyDLpQL1v1Qa8McvQahV6BmEN 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\Data1.cab 10.00 MB MD5: 8209902bc5c5170398fd730143228207
SHA1: 7510d930c52c56be5ac8ec99741f072654219639
SHA256: d209d3e66599629bc5b0fa403f56f94378420f41573d5185875153d75ce23a3c
SSDeep: 196608:/cTB5nIacvEws0Bl2YTLNuq7zEqaZswqLhQTcvlj9/z2H7DLKH8:/cT7ItEwhBlnEqaeqc3/iH3mH8 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061 1.86 KB MD5: 49e4f64ea9895d06b496c0fcdf2a199b
SHA1: a681fc0e7563dfcf1088ef763c197f101fb64b08
SHA256: 8e8d7451f66198078f934495de8bbd8add2870cb6057eacabc645fc2412fc15f
SSDeep: 24:POnL0cJe6yREohK72Gz1ZllFqf6S/g9MhJnsDTBID+7GgjUUv4FVxUOEjLR86O7M:QYZK7hlIfn49sJngCgOFAOEjLRYQ3 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\04_Music_played_in_the_last_month.wpl 1.53 KB MD5: 7592cb82ffaf3c7f57b9dd96fc0f5118
SHA1: e75ca812c54d08fd686c989305b05e29c841fe68
SHA256: b70fc9708d7d98f120d66a01219bf45a8f038b47a9eb49e3508754fd1efdf565
SSDeep: 24:VHvgW4Wz8Odt8tCo54SZ21pep1mvURwK9tEuW/eTD8X//Qb0a:VYW4Wwut8tCoGSZwe5RwK9aeD8Qb0a 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx 3.99 MB MD5: 7544a9683e32ec38a0229f668e79c0c0
SHA1: 73c488984c914ab90a5c156c8b7413106c2dae5a
SHA256: 067a1922c67494372e1f836dcf159021c5353fe0abccd7f24cc26f858eb8454e
SSDeep: 98304:NsGLwm5n0c4HTUkU3mt3KoFvEJoH9pGfTRDT8Mj0zQc8v4EwTc:GGv5n09HTRPvsJE9pQjYhERwg 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\02_Music_added_in_the_last_month.wpl 1.52 KB MD5: f9b364613d219a6e04a97dacaaf12c7b
SHA1: 31467b1c528ed4c05dd8332023a6723d70d94783
SHA256: d1f4c1a7ff88ac945d7013eb2613de5b92a86ba1d6e1b061d6106347f8ff51a5
SSDeep: 24:EjIodA/32jJT7IJOFUjxVOv9Lr7V8R8Nx9Lq24JUa2+Ck7cRbPP91XpSrfG8Vun:EWUT7IJIWEt7+Y9+24aazMTPrss 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Outlook\Outlook.xml 2.69 KB MD5: 2305a14ebea65555c6fdf78af4002be7
SHA1: 947550db423a9c752be37a3664e76eca4d694b06
SHA256: 07289f602f8e60f6d405ad86f6cd0ab72fcdc4063656599057c205b7c5e8da2c
SSDeep: 48:vGiqPzuT106c87VnBT1uTRTn5Rl+/ntBVW2j7UlcjCvf6kbfTJEh2OzE9FAO4Z1:izuT10oBT1ulTHQ/DNcf6oKp214Z1 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\79-9QkC.bmp 19.83 KB MD5: 81fff173794447943504988185ba1940
SHA1: dc4f2d44944445364e543682058a0ebd1abcd768
SHA256: 223247f494460bbe4a6ba7ed4e31594b68fa91b20b55b0e8c59b40e026ad620d
SSDeep: 384:b2YHnSBCvis0v25w823CKebfYkKtr8cxtng3cpoGtqQ7XWtoLJuLVXHqW:3HnF6sbwlyTZUr8c5kQ7XWOLOV1 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398 0.74 KB MD5: d9705c9aea91aa34e576e49be1131133
SHA1: 7f1a582d733c5185f17f6a00322400810f56bd89
SHA256: 69feed5171f4296e57adbcf3b6ca45293a12d71eb08090032f71532da62b2f63
SSDeep: 12:dFKsc/ysAvlN91rJ1RZiT6wjIx6y2Vz2zZu6E/WQ5p/xkfMGHeCedmQgP7MpKH/+:nKTmvlN9FHIjIU1z2Vu6EZ/xWMGHeCeH 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D 0.66 KB MD5: fc82cd11b5574d19968a6b8fb5b087bf
SHA1: e87415be764d56ce8d069d40f3f30c9287173a66
SHA256: 896c7023dfdd9221ee536f3c7aec09e039ddb4cb929488d2f382a00394489439
SSDeep: 12:hdbv2UASx3AiwIHlc0qW6RPBN/Ob3FX1onbivrguUWfikFP0looK9f:hdJASxGIHlc1x5N/03FqnbMrguPgd+f 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001 1.75 KB MD5: adc49e11ecdda1066a07ccd03ca7776a
SHA1: 6a8bfd041a365af03f68da76fe933557b8356333
SHA256: 1b26c0e12f7bafc792d0e8cb29c911e3b1a558382e58b0aceffbdfe64e86ad72
SSDeep: 48:EskJ6OZLMnAEwAjdCVzdI953vJZSeFzNW:rOzELj0Vg5vSelNW 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\dZW Jhv3BGLQxFR.wav 47.35 KB MD5: 0600e37f69e9606a285aefaad390a855
SHA1: 0b57803587ff611e8cc6a2e4086deb6868efaf50
SHA256: ee86496d8e653daa734d0c9a755e0c81773c30beaf31c96707f7705216fcd294
SSDeep: 768:noSWw0eLgnaKz3F42LrNDPrBzrLvgJzi/hLjJAyXzDGHm6zI7KBB5PIzHGK:noSHX8aKz3Cw5XBzrzgshO6GHm6ccB5E 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875 0.63 KB MD5: 0d1257e8f7fe3ce2b5036a64c8bffc71
SHA1: f46e4b02ecbfba88d1e8a08da6871ef8eb0a4739
SHA256: 05bdeee81ac2cc6371f1b6295cc08427784c6007cfbb2e7f1016a5114598a72c
SSDeep: 12:4ZUk5IGczs4d1wZAL6VABautlPtIbmYn46icgsWn74lG:wSR/d1w5kPtlPtIbmo4XcPSUlG 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852 0.69 KB MD5: 1d086a21a3a39ca3ce9ba1b24ddc1dbe
SHA1: f43b2d285e60e9283fae20c2abb8fb80bc8a21bb
SHA256: dc4bcc5593099a77fdadaaaa8aa558f091b7aa5d696bd2afbf4c0e573b54e74d
SSDeep: 12:CJuCkYsA+RO2scuHP0dXM2fPIwhpLdaD0YdW7D/mmp:CpjsFOTvwM6JaeHp 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3388679973-3930757225-3770151564-1000\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f 0.31 KB MD5: cd854ac7d46f3c401da01ee142843e66
SHA1: f5d4d8590a0d090fff656d95a2161aba3444e31d
SHA256: a3b02b6bf6f3cbda45c1ac9413f30fccd892515872409d6d376725f663c3fd85
SSDeep: 6:dXm+tV7VeqOVECWyVLF9CQJ10kNCpa5T7Qt8Tz2cyjuPaEVxiAUFWU5XbKki6YKd:dXJDVkWgLF0QJmECagOH7ydN95LE6Y6l 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\05_Pictures_taken_in_the_last_month.wpl 1.05 KB MD5: 36610d53154aacff1edddd8bc95c5d40
SHA1: f617f05fbb442bdb776c72137ae3a3829e425da7
SHA256: 56e26a1806ec7835d2a98818323201855cbad17b79ce203dcf3423ee33a5ea4f
SSDeep: 24:zie4dox63shgJXteltCBRew0P13Yjy62/g6xVvGf3N3vYIHJp:FeVcmMtCTWd76z6xVgmo 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1 0.72 KB MD5: 98df39d7223e29bb4698c2e10b1e5650
SHA1: 85041aa251252ddfa7b0e42fa92ed647db076bfb
SHA256: a4700ed7aa01f69b38da036a341ce928cff6360a7f1635884f446ad196039a24
SSDeep: 12:cr1ByykyeOCefcX8sgWgpTURvPfbbVGx3yxnloOklwDf3umLy5o9m5w1h:caXy88ssM/bbV83yxn6uVLy2450 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\F88zOsP5WvaL7g.bmp 67.35 KB MD5: a29b7fac4a0405877b15e3a70bc20fff
SHA1: 3811a30bcff4c9da851446aa20c160a25ee55e31
SHA256: c58cbd76d50dce16bc88266baf33afdc91ee97b9342c841f7cf6232029b197af
SSDeep: 1536:U2nZ3M0pQ1/ET2Z8t7c+nLPRcW+ljluJWNnNftf4W5:jnZ3HpQqimTRcVAJWNbb5 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect\S-1-5-21-3111613574-2524581245-2586426736-500\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9 0.74 KB MD5: b4cffe92308b1a714c946fc751db91a1
SHA1: a22c7b670e93281303440c80aa99bc099296ad39
SHA256: d5b1cab04ee5edbf21a991669915cb6ea98174803b205270ce290cd10bfb43da
SSDeep: 12:6qFjI6fZNia9hK7oUWqannZ7eJFLaeV6Qr2cR2Bcgxp+WsKAnJp5weyQFXNW:VEaC7oUmnZ0bVjR2GWsxpiez8 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\jre1.7.0_45.msi 885.78 KB MD5: ed9c7b93a138c1c068472b037e3b0bfc
SHA1: 6a14ca3308bf4a52055c78310b3ac18c933d449a
SHA256: 566d9a1b01a2fa0f8a17d6345d706d12c76d0e41d5eb095b7eb4bc050f78765f
SSDeep: 24576:GHl941hWo0XkcgJ3Jm0lLat4KNgtjfx+IiHnFsr48lJ28G:cQF00Lb6abRpiWr48lJdG 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Outlook\mapisvc.inf 1.38 KB MD5: 1b45dcb9e2e8673b55dbec7662171673
SHA1: 65208fdd6d8a65b565d0523c7ea0560674d2b72b
SHA256: 0001855567f1c9a53e4091c2be474a8b6a2bd18b38f69fe1bac5a9f2e03feb12
SSDeep: 24:dnA+QLSrxJEuWHst11Zdfl0QHtJXedWxMgkjerj+rsnKFsxdLGMQU2K6v/:sgchYVkxerj7nzXZQUYH 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D 1.89 KB MD5: 87bbf931d19605c107b13e9c3722d798
SHA1: e4c3590d883f968894edcec85668900a802714b7
SHA256: 31070684baf6f5d55de01007420c09c2abc6be0ac6db7d0ff8cec84f65fe834f
SSDeep: 48:Fs76zWHB/KsQR8ELsZfsKIm7Pa7eCXWQCWS3SW58MbdzmlUgoXkiE:Fs7xH1ZEKIm7P4eCOnU3KvfE 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585 0.66 KB MD5: 52d7e15bd02f64d7a8ab1674a56d9b3a
SHA1: e3d39334600c7a10958c825cae6d528369ded159
SHA256: 9392d200132e89d740010cf9967292c0ba50eb245b67fe8884ad172860c85cb1
SSDeep: 12:YVVS8gfbgwqga4njAWSxuvVRQFnVnHV9HWRursuPu0Qvz2zP/UdGn:SVSfZi4nMWSxuvV0z92Ru2/zEnUsn 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\ZokWWlhWpdCTwCQftX.bmp 81.05 KB MD5: 7659d58e070cd35a954e89fc794a1672
SHA1: 9e991f0f28d7ad18e845f44e2c9e16890033e625
SHA256: 3a9031816ab9a9015c30bd00d84d2237e472e0cf0252b92d722e119c4ae43693
SSDeep: 1536:TT1XLMt1uyHcRgP7mYxDwsbT96CljXKliMyHwLm6ftPJlRDsVUrqI1YmeS:TT1XLnacUx1X12MMkat9cBmV 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\4BiFrslJ-KXrZhd.flv 72.60 KB MD5: d147c4dd4b33cb7ca06f116d86ecb2c2
SHA1: c804f89db8adafd80b13b22e79c5421ebaeca927
SHA256: b6a38f962412ccca77cbb1fba0bbeddde11b7abb3388395f412407d7c35d7dc6
SSDeep: 1536:+UlIEFioeR4PFZ32CjPwYUD9mhuBv4vHJXg/FX8pwgV7sT9hR5cfq:+ToeRSFJ2CjPwYUDGuBv4+/WppGhnEq 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Ch74UvQlC.png 58.35 KB MD5: e7d0f8550bd2dcf670447381f497e446
SHA1: 2dd521b4cb59d5401e3a1c6f91dbaa743816350a
SHA256: 30f5d8797cd0ef9f0ae306c11a4dbaa50d39e428ce595bb31863ec821b5c7287
SSDeep: 1536:mz5kgxd3E4ZRXLSw+OjrqDbOb2uSWvwEuKcsVjxg:q/3tZD+ym+lSWoKxVa 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\1QW23kUKzG_G-0v.pptx 88.91 KB MD5: ed49482ef07807cd1470437dcfe71816
SHA1: ecea4e68f94854f26715865e38f4ee672faac28a
SHA256: 23438f3e958d1d7883798cb6aed7a0341a724736e4a5d9e1be1d86546ae060a2
SSDeep: 1536:wEk3eP0/uXfWQElYfgppZcTKmp6dD/4axhEaiMinnYVJBvq7T3gZSS:w/uPJWyWcTz8D/4aXPiYVrITCb 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\31k449TTNPE.jpg 49.53 KB MD5: 30389ed9de02b93422a521c113800ad1
SHA1: 69847d1a0d21a14b0e722aabafffdd129f73de54
SHA256: 1c0c6bdb8a1045c8e8e316c7c1a398df67c0df4b26ce7a41897155a419884a4c
SSDeep: 1536:Eyd7nsRnflUbidfIFWARN46/05XUyJJm2HrJ:z29UbidGxRNT0K2LJ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat\10.0\rdrmessage.zip 41.77 KB MD5: 3ca37bcbbdc30bc0861d17aac6b26d3e
SHA1: b84283c87143dc688da858a3eea196284def402e
SHA256: ae077dccad35d16a51cdf4dcd8c4a698bbda0e9a36091c7e504835ed461db5d0
SSDeep: 768:8pqbnh0qjMsac+9uVkYBBy0EaF/3/UCBzXXGNpv7KG3Y:8p+0IMsahKk1S1P1BzC95I 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\03_Music_rated_at_4_or_5_stars.wpl 1.52 KB MD5: bc3a2c5c3dd985b63364bc30284eeff6
SHA1: 01e30713c2e9d6a096646f203a6d5c4684c77951
SHA256: 28098987829f90e3f42c372b05f47f8960af088419295be500820d406afceaee
SSDeep: 48:1s0Kvw2f491G2mbhcsXO4gbboye1aqfFECt:1s0HmjXO4HXMqf/t 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\mENX.png 61.08 KB MD5: 57f0743ee3347d80f937ce8e1903804a
SHA1: 1edc3cd00204a1ec68440b33bac8a8c29ca3042e
SHA256: 5f98f8e8c41d4761edfbb31f45b9d9ffb6416fb231aed4b631a3be50d6da9813
SSDeep: 1536:v02oxfg6VPn5VLJXkBwLpujWUG3AjwiF6+H1VU+Ot/z:v02oFfMmcyUG34TZH1V/Yz 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\kfGzsrdqo_r0wo.mkv 60.78 KB MD5: 5e300b3ab312362404a56eeeb0f5caf2
SHA1: 0b0af0aa7d285e211191461e048de5af461bfdf0
SHA256: d8827ea8d6ac1bd974898a26c2fa58a7c9ad6812112d1dd91e3813a1912b7e77
SSDeep: 1536:PgrE0cUXGU5V238uH8Vx6LEzp1Muv1Geb1:PgrE3UF5VU8uHAV1doeR 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\AdobeARM.log 1.72 KB MD5: 95771b515acae86d70eee1a3d0372c9d
SHA1: 7167dc860d460899e46ac02a25a57760ef4000bf
SHA256: 5a78d65d27dd7b3ce17dc641ded4a63d294508a253acdc3b16346621cc5d8521
SSDeep: 48:cNb45WdwOPjdPjDmlwFk5v/dYZb5dbD+zx82KJ:cWjOjJSlwC5vFYR5pO82U 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\C- nMrMwd.mkv 72.63 KB MD5: 80920484cb911226f1a63dddf4dac70c
SHA1: 950fbfd3d9c914f62f652824e73d2da60babeff8
SHA256: 4c0a2bea3554677b283612f16788d634b7fc660ad148032b6a944247b66ddc68
SSDeep: 1536:GMYwHn4CYzGb1bZofSaNASdFwHB8LiDxZiYmFD/2lNQyZgaSxK:GMXVof7AucBqiDvgFaraK 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6 0.66 KB MD5: 5fc86e894d345733abbe80bb11801845
SHA1: ba84dd931901fc843b6a9a7d3f2dcf6bd2eca6f0
SHA256: 86e6c49dc010114e1640e8b76cea407a68ea422d3579ef03ced591917580e384
SSDeep: 12:VJQmOLQDuzL7doNrEiAHl54PVvApOFkRFeAt/0ovxZr8DOAw7E3lxDngqC:VJwLf62iAHl54PtqOFkRYAt/0oZZEw77 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Outlook\Outlook.srs 2.78 KB MD5: 0b8256db02ee17d014e1a93097d5272b
SHA1: d8c302da369aeebf834baf2e79fe7448249a5f8e
SHA256: 73aa7dd594fb5ec9cb42b6a011433b0eaf7409c776175ba73c3865d68c1e4095
SSDeep: 48:8NP+yVnBlIIbPyxBaTlV2qcoSK9AmNpTRPp+53auzGnzGuq+PsVErkfZw2mgt/Tu:goIjyxTfod9dPpea4GnzGtc9kRXVxcqM 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.msi 181.28 KB MD5: 3683ced7d57ece3fb413b5474ccd8827
SHA1: 95ff6604b1185e5ac2368254b77b686258ab70ff
SHA256: 8fa308fce8fc3a6b9804fbb551afbc4e192b5c3b304b2f9239b6a961115e721d
SSDeep: 3072:b2y2Wt99mVeDUJCQ1RySd7tF07Fb5vHpFjQONN1776QTw6sCq3vufzRuJ3gfuyKs:ztvmVeDUJX1RySdjwFlR1zN76ButuJOB 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416 2.00 KB MD5: fcc3e3898a8596fc940edacc396765a7
SHA1: 18098f0c8746fcaec6edc8fb86975d3b90fe2c08
SHA256: 0fac8efe0441aee43b20c9925e5688293efc1f4be4baf972308b30e09b106303
SSDeep: 48:tBDyH47DILq3k0wqnQpmmiC1IvpAYyve8CSbQL/:P+6DbU0w2wNiGIhwWybQz 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6 0.67 KB MD5: 8a33ad8940903ed056413f90a8870562
SHA1: 42f0b3b760c3225c267360b917b70c48a4f40f4a
SHA256: 2047bfb46eb10e2d3e67c296ba2770f1b33627ddf3ed8bed5c8487d5138d91ef
SSDeep: 12:f6bdJlDMbjzhKCIdQ2LL/lMjBkiU95Skk6LqAdWPYds3biEUBlyld99aVroVqnYh:yPKF/ISML/lM9zUBk8IPYS3AnylTQVra 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416 0.66 KB MD5: 9459413bf092755f90492f39c4f27edb
SHA1: e61558363727134145dbc07c25f22de7bf55bf36
SHA256: 31f3ada352128ab9c4f0dc53dc627a0aab816832ae7f82919f7e8e77eb4158a3
SSDeep: 12:ntZaWuoKwLmqXh5pNsIeQ3oh+YVCxJI7uF6o0n9276z50D:tkX+1x5pNs+36Cx0o0k46 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\02_Music_added_in_the_last_month.wpl 1.52 KB MD5: 20d01912f7bf2cdf1d41b6e845b879de
SHA1: 5cb22997b79a7289a55079245e6df6bfcbcbf13c
SHA256: 773bfd053bf667bc19b07979fd9207b741be8a97bbe101e72a1c095d01056bf0
SSDeep: 24:cR9H1UtNzI2EwO0fWCa0NHz8f1HeZ/I9HekLCMULjYvn18lofEuma5UG8MEb:wViNcn0D5z8f8CULEn8ulG7Z 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\03_Music_rated_at_4_or_5_stars.wpl 1.52 KB MD5: 918ef01b78f891f7aa359ed7a6fd85ed
SHA1: 65c6f0112f2d707fb349987494449ee6f7ac6156
SHA256: 9cbb360f91094c4c75aec3c9b5cda048ade066a32c16bfda1943fd3bff277712
SSDeep: 48:FFQaogBoe7nibpGucWofg3dbTx+DEdZDnudy:/fog5isuctfQhOy 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1 0.66 KB MD5: 90151cfca843ad4b3199d6218ee18f12
SHA1: 194b8214e447d7635f235bc9382a453e0636bac2
SHA256: ef9c31c4b39dc0dce07224168adbfaa0093c33338a8dc044eb7234226eb0c6d6
SSDeep: 12:nq9boY1vVchJcERtkpdZstGAGLXpqaPkFTJVtGSn6FC5nBmTO0cOJ++4w4K370Ae:q9boY1vEJrtesJyXMdJVDWoBkOaPp37I 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\ePJJOlStTcqgNK.doc 75.11 KB MD5: d1fd9effdca63cc37bc07c244c8eb61b
SHA1: 3e5191bc3f6b716aece22861f0fbe4dead5f776f
SHA256: 0246b21c071dac0a4e5f5060b1d85c907fbc5b27b84c8b20c8d555e02abd3a38
SSDeep: 1536:AgQYNHIod62UDdxtl1aOcPKaBzyD/aWf5y5MduNo5eRRbheBaff3:AkNood6X9ba3lKiWwM/iVWaff3 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0 0.72 KB MD5: 1627704a30a83dc7b30366b2300b9b08
SHA1: 49cba1323be795d4c860a90197e736b1d5e57ec0
SHA256: 937e6cc1d00f413e7e20269bcaa5e17ee04132e40ae8258b0bba5efcf130d6cb
SSDeep: 12:s4J/5DSRQdYqDgh/z+PRrK8VY37Yh/KrEPtiK5hhqcL3uGxG39E3akZ62ffkYarF:sWBSRQCqDgh/iPpKCYEh/AEPoK5hNjuj 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect\S-1-5-21-3388679973-3930757225-3770151564-1000\fbbe72db-afd8-443b-88dd-64b20388700d 0.74 KB MD5: a53f6f7d9cee83907ad63767efeeb32c
SHA1: 072de27c57ff9d0227ddbdbd6337f952e0a70f0f
SHA256: e4ce5e8ea67ffd49f129fb5a703f3ad888d6d3a28be3c4f36e1b3e874064ed0b
SSDeep: 12:+KSxwqsbSi8lvRIj8WzJbnqsjFQPZuewMH6zaAXMR8eZk9DyGPeX+7ivdU8Xn:YwpS7p2X2sKRueszQR8emRHPuACu8X 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1DAF2884EC4DFA96BA4A58D4DBC9C406 0.53 KB MD5: 0c266bb8e36c26981e4c47ad4067ede8
SHA1: aad763b3c59b2bb4cf76dd83c494838dfd742fed
SHA256: 22095ea3dcd1bb494099879dd34b30027bed20d1f6ea5e5f1e13e7cd8dd48379
SSDeep: 12:sirCUwrjm0eYmS3adJUx0C5FcuOURbk+hF0doAQJRZO5P2n:s/U2xhqdJUxH5mu1A+hF0doHg1Q 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220 0.67 KB MD5: f62ae104f0459c989b314a24acac9f05
SHA1: d1e5cf030cb08659315cf0b0348b569c21582f14
SHA256: a557beb3f6ff0c2d527e26797f08f4a6aac00b6a4765ef2368e6db5b0cce70ea
SSDeep: 12:vA4wEmjYuM0bBSFAKADiZ9bfKKuCFrGp5BjORMgNhRjh1eaoFt29zh8O4ykCjL/e:Qx5MGKAKCKbFrQwNh9jM7Mzh8HTS/mB 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE 2.00 KB MD5: d1a64a7b1b4638e2c92077216627ab9a
SHA1: 03448afa2601a63c072237f8f1b05409f82acf0b
SHA256: 26674d821926fd7df6d50e0c8c718783863c867e88a63a258869e187387dbc39
SSDeep: 48:RfVb3DMrf1hYAeyZF0jDAeowmLFeRYa51N/Bfz3xTyAbO:Rdb3Dw1CAeyZF0fAd5LuYkNdz3RDC 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC 0.78 KB MD5: 920ecf87a63b7bfdba5c37d8c0e50463
SHA1: 0eb80dd7ad1f7be8c370cbf3973b0c1c921e21f4
SHA256: d628d223f0ede319a9bd53f8d92ed635eb60ee23cd54ce97542748560b07e335
SSDeep: 24:lLPB17iWwj71vO77sRCF9uLE9lZQV5yf1ESMz:ljB17ABW77se92slZm5O1E/z 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\07_TV_recorded_in_the_last_week.wpl 1.30 KB MD5: 2232d6e32b8fd6150964e1222c58c87b
SHA1: 2bc6b6aadada56f010a4e18f25633afa5a383a0d
SHA256: 89ec4486a8cb047f1bc7c1ce7ab27fa9cd68ecb175b149ce216dd78306cb9279
SSDeep: 24:XeqFn+vFWcYWMNnA8ivSrK74iMgPgj/4bxNLcVeE0ws03pP6y0AGQaI3sGw2trNb:XeqFgFsWMNn46q4d14bxtJERhb06QGf/ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF 0.66 KB MD5: 3fcfb6c87493806bd9480b85b8e03cd5
SHA1: 39f44938bc195b40d69136171a7c10427699a25b
SHA256: 6391ad8d786ca72b049f286f3f771fba1084536b82c5885c4f08e4b1bba613a5
SSDeep: 12:/h4K1+lEqWGGkcC1uwOlYx8/4mWNQpT0yy0KQjWdXgeqEAy0YDwtNfxjx:GK8lbPVcwJOl0dm6QpT0YKQjWdXgeRA/ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\24L7aMD.pptx 85.49 KB MD5: 6729d6f8671da1884ad69ff3838fd43f
SHA1: 0074d06611d88c5e1985499c7f9be51cd34534a7
SHA256: 161efa11011e1c2d14a479140c1ff5c717233c133893c591cb11e4c60d485906
SSDeep: 1536:EesLNW3OJOKPHP+dwjWnG3tPMAgplA6OaceVfbkWr2ueAQCkn8b/aYCMMN:BsJW3EPHP+dwjPtEjpC6OCfAWr2unQFD 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778 0.66 KB MD5: 9c0b8b976f7e0e9b2e6b438d17a5816c
SHA1: 4f61d4fe34cec1af3ee6aa5fab33a8ae9a02866c
SHA256: edc1462b9921482601a0135b78ac89b52ee4b6dd4998445eedd5179ada2d68a5
SSDeep: 12:NwnsCIQc+WakoZUuftLkl4yud1dA7Aah1f0JpCXErXB742lb:NZDjoZ11LAA1dAVW4XCB77F 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Xizw92iHqmCzA8.avi 25.97 KB MD5: 5662af7ffa67d491121ed70d4cffcbd3
SHA1: e3e957cabefaefc55b6f5e26466b6ce693a774b3
SHA256: 48bfa59d1c026ff3060d971577d87668157836a9989454cd3d5d9e0e976afb69
SSDeep: 768:gDAds+LwkgAS1Mj5KWE8RzVe+QN2/6i9rgmTZ:gD8CiTQ+S2RgmTZ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\PGShtx.flv 47.36 KB MD5: 203374ffa488f88e86ac73787c396799
SHA1: 060cd135cb721db6cc1a1a76b50694d89ea76755
SHA256: d6b83c74926c634fada2050eadf1cbbbdb35c8b83f1d8528004128b318438a00
SSDeep: 768:+p6JXx8HKakodbq7K/ZV7HU9CHMBlqzhJnSSuzXyUt6nLmZdLhbmmpyEgl:W6Z6tkuPxVzlWwSVZeSZFXm 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 0.77 KB MD5: c3985c0948527c6eaa3c43a8c034a16d
SHA1: 9a45145dbdc4145f8b19df21a2d2d0ba98689161
SHA256: 44409680d1818c56bd076af5223cbde9587e770228d9763757fbc1781138a170
SSDeep: 24:xxchV1e8mWesEuEkvEMI6xr3IOwqwl5W5KE/k:shSXsEu7t4OE5WUAk 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\StcAE2tTjZztvsvpV.pps 20.77 KB MD5: 19758a78cb887a8c9b64e378431cd6b2
SHA1: aef9c81e1a45ddfa3b4faf7abfdaf3a98406e613
SHA256: e095ab8cc40d7c3de924a05b323f1e3c757668ba8fe22c6baf0be698ab521e51
SSDeep: 384:qYJbFDz1LnoPcHvMlRuAU2ErlF5aSDuGYu2GgITn8/mHVi2in:zbJ1LnScH0RFWrlF8CYrII/mHVi2in 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875 1.63 KB MD5: 11db0f316cc378b78c20367d92ce3e2f
SHA1: 84b68dc2dedae0ca53a46e95e451c77afd147231
SHA256: 2613467d7daf1bcc7dd2c44d56df60dd833e15f2a1d3fb039b786271244c07b3
SSDeep: 48:JNECDoYmPM+9qQ7y4lpdcP0WlIdW0NZn+SVyNKKjyGVx:bECEYmk+kmy4hwKdDNMuwKKjyqx 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Office\ONetConfig\350db95df4cbd94b2a1c300510e12e11.sig 0.41 KB MD5: 812de7d736c4e0822e5b1a50e1571ca6
SHA1: 77dc5bc7a28a53639200f43b3a86feaca3c9e158
SHA256: 30a47e09ff5772936c5c237f929c848fd6e3cfc1548508e83812e0719210100b
SSDeep: 12:MxJORJ0vMpCdx1/HX+hHWOu85x6HjVT9GLF5YNuB:MsWvMpw3UEH6LF5Y+ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F 0.66 KB MD5: c31bf49ba0387d5e489237933ded9d1f
SHA1: 73961f38739547b33de71cf965d0a6f43727bcff
SHA256: 1768b9778ac80d86e182d24efdb70a93cb91267e1b56ed78f9031f3f43890689
SSDeep: 12:cK8o6H+Ro+WruPbOmCdb3w2amSLl/6gAgDUqmrsLOagTTExKyYO6vb6/Rnk0K9xF:7aHlbuPOw2amEN6xgDUZrsLOFfE/5g9P 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\12_All_Video.wpl 1.33 KB MD5: 4979666285a4ab5997cf79274d30b3b4
SHA1: 31a67a523329334c124ed8cfa71df01498552d99
SHA256: a2ba3a785e4bf010db2ee87d237f82525e8f0edf2bc82e5481619468f9686bf5
SSDeep: 24:rzG22KOJOSeg1erdMt3pLAhYHxZWiRQIY50XzJngZozDI4bGaQOE03AycP:rzGnKOBeZpM1ZAhsWiRJE0XFngZozDI3 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77 0.67 KB MD5: 37a999167731d3a817cb93e12d554e28
SHA1: 320404d58a5c4a3c170e462f1afb190dec6c373a
SHA256: 2342761bf31ef58385a5cd33a21dcb3c530215c3d78e5377469ffd299aefb35d
SSDeep: 12:H1O6jGJrOZ/Lz/iyrDls3fwObkpmTFLHQPX5eSNuvQdy400MT4S6mBmm8SaT:H19oMaynliP1Qv5J460tT4Cmm6T 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21 0.66 KB MD5: dce2e3f651fb15b191c46460f116f237
SHA1: 038f9c010306591fc7edb232a6996403c462b2cd
SHA256: 5d9de2d90a6814aa47b2bb07cef18af5259cb4859ff92abca33e520bcbbab8b4
SSDeep: 12:Bw5pNIQ936uzrGWY3cwP0LkG7Iy2tvlaw02ERguJLEgUVIweFpn3xr:B+MuMOwGT2ttaw0zZJLEgTwqp3xr 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\12_All_Video.wpl 1.33 KB MD5: 7d554c0f8df2b1c4a743ae243fedf687
SHA1: c5369151d7b12d4781f49c30b80d2c24d1cef88d
SHA256: 617bdd6f9464b572db2ae1caf83ab45eafe2669f99e716aec0f16bd84f441b26
SSDeep: 24:6JwYrMm2fS3A0e2S8f6dL1mhRicshVAZ+9ieucsoOS9wtsWarWhtI:2Bglq3A0/hf6dL1mXiVVj9ilAw2wI 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD 128.28 KB MD5: fa5cf4755a2eedd3736adee4a05afddb
SHA1: 19eeee26ab2f95f2730d052560e381657029cb0f
SHA256: 94f05de990b91e9702e57ac9b64f647a815307fd81a9d585ce19fcc4eb63401a
SSDeep: 3072:5ZOqVlKDaGFGAvz8Yp6ixNAK1Pzn5cHQGNrnzJl:5ZOkPGFjzvp6iUIwQGFv 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778 0.72 KB MD5: 81862b536b43988743893c51f3e91e14
SHA1: 6fcad16b400b7cce0998fb92cc78cae2392c63f4
SHA256: 960e8e18c45467828af837ea10c653aa161652c8b12fdbfd569b994a42fdcad6
SSDeep: 12:+AnAWinpH576x+wxkAY+8/mUcgeaEN+eAHbdsm60DSSWhAB6yd8QR5oHXHwNuBp3:/nAHZ76IwxS+8/NE+eSdhLiyd3vo3HIG 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\-Wn- 5eycDY.ppt 30.02 KB MD5: e2b678d72bd1f7032caf4f37fd03b118
SHA1: 100801c2648ea80534edbc3a242425ce5f556092
SHA256: 6623b7865276ede349a414e32273fccdcebb753025cad7d73d04101a154cb562
SSDeep: 768:rytrTcr15dn1wp24gChG+U8sVn8MOizX4ki+9xh4zt+G:ekY2sqn8zizoJ+9x+ztB 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb 1.02 MB MD5: 7a084599dd80da44b93df30d99a4fae4
SHA1: fe6d274822c9cbc77f7bc11a9f1f0d05fb693acf
SHA256: e1f0a1ee0e6c4d617df515f3544b0da25860630d25ee8a0a465fa8ae51adcf4e
SSDeep: 24576:y1gRDU7+BlkRsSsD5g7UYMwfC/YnmplCltreVgkLx:y1gRDU6BpnwxdltRi 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE 0.67 KB MD5: 0c4d8e082199f05dae02a0ac67214d5f
SHA1: e84cf84f6459a68a3556645cbc1a9d8395b50906
SHA256: 213a065860d48c3a057a2c7cb6303514dd9261939e209830c3be719103a566cb
SSDeep: 12:siC58/efQqDrNt8LykJjUOQhxNghiPE24FmBrx7HstoZH9bjxsFQQc:A5pfRDrP83pZGghiP0FmBrZnZHVHR 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D 0.56 KB MD5: f80c5ce56558f7ef1667a76fd1614188
SHA1: 4fb2cb681f092c358b4fabe02e66a7d8e51617c5
SHA256: 3a7361f081fc9cdcb76674839abf92f348b1e1cf6fec8bb0ba6f5ebd23f55e57
SSDeep: 12:ScniME+PbZOkcvmpq2LsGn/BU3/uX+ClFQdCvJBbH3v:ScHEU9dq2LsieuZDv 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF 2.00 KB MD5: 7fd64eacb1d71f55d15e455162c4e652
SHA1: a37415c24e106f96b0723f02350c9840ab8e07d4
SHA256: ba49acee7bdb5a38408eb99048ab088c96786be267110cb2c1790247342c55b3
SSDeep: 48:L8Z02iyJTkdPN99j7pAaXzHoJ6jK3YsaAXMeZlSRRcMGaQRFRe:wZ02xJQhNHFAa76MAXM4IRRcMG5Te 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB 0.72 KB MD5: abc42ff6e32d0c7bf6b38a24e14c6033
SHA1: 0b8d330e22a749e3fc78041ba4d5f8691908c0e8
SHA256: 62bef7aaae85cada3c7c3932238aaf81fa9f0f4f219e9240fd2867d69011ebaa
SSDeep: 12:MmLquSkBLQWZD+iudy7AKI9LvCkdTop5rkQ38CiKl0ZTJRA8Ls2KBB6oV9ba3mW3:1qKiWABAAjzNIrkQ38vK+TJCos2KW+NI 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl 37.10 KB MD5: 4a3f0ebb029464cc6106df168750300b
SHA1: 35cb2afd141c95ec8eaadc3dbb5871924d023967
SHA256: 23d8cda0e22a2bdd4e7e402130c151529bee295f640dcb25dff0d314832a7aba
SSDeep: 768:4J83jXdmEq+Zf8s8UVaDxOzu5vweAp+ZCFFfx3Rh2lQbdvI0NH+ylTgMEbDo:4J8zXQEqgyUUdOzu58p+yLuQbVCylTdj 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873 0.67 KB MD5: 6f4892fd4203a8c279abdf2327426953
SHA1: a84c0b57a6c5e5a840e245cc10e80949c93dbbc6
SHA256: 4ee26f63f5af8e1cbc024270fd499d5067a40b24fb9bc09a4b1b3ea027ee8a95
SSDeep: 12:NvOhl4tW4fQb55zeYUdDBpVBodlxXSLKxpbUFdyBYnUPjz5RZwrnEHWtlLrR981:5iaxuzeYEDBhul0LKxpbUFwBNRZwrnE9 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7396C420A8E1BC1DA97F1AF0D10BAD21 0.81 KB MD5: 6ec2e3d20bf1f8eec18175786a74100c
SHA1: a75bc6a99133feda12e8bacc97d5b1dbdfe40152
SHA256: fd6ce1e44f407d5632eedb834cc85f5146715bd2cc91324ebb7bf772a5564767
SSDeep: 24:JSBnnpFsWdygJlm03IsYWJ+kmDweSnXBZS4ait:ARI7g+03IsRSwNXzSIt 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30 0.72 KB MD5: 9d430e9d2662d8db987e868021c44970
SHA1: aae6460a1e128087943cecfc1db08808ac5b3ab8
SHA256: e6f8fc570867a9bcdb2044cc1fccaf2cd496024f4860ad81639fb1d2c15ace84
SSDeep: 12:cta38/5xGoUJo/ixbj30Axjr9+czLr/mtdJfyWiFKSG1acKhqUb7+PxH4+z:cQCvGW/i1jRJp+S/meFlcKhqUb7+Z4M 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3130B1871A126520A8C47861EFE3ED4D 0.78 KB MD5: bc38eedbe85206c1e2086df2a739236f
SHA1: e97e9099fa1270aae62f3ff219cbdd412609b90b
SHA256: 399c0af97db848a94c1af630e65725fadb7f98b502af3400f304046af1fbdb67
SSDeep: 24:jUcwM0ucEzEt292CAWmHoH7IHVYm4C1NUFNEVF6L6q:jUcwM0TQ9TADHobj214mVK 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat 4.78 KB MD5: 9a74bd5a57296a3e70e67f66acadd546
SHA1: 020fcaca4a9bf11116e16d641233cf150000b133
SHA256: 15cf734ac6a4d5d862b5533d8af62e2f792be4e3d8e9a3f47b888573ce8d4cd4
SSDeep: 96:Ti572MyZ0b4OCiV7WSDI7TF4zMyWdwa3TX5GRM6:XM80bNlDIPF4IvH3Ty 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D 0.60 KB MD5: 42ee2ebf73fac57b28faa8f934eaeb64
SHA1: ce11684a79a85c66743180a1b22e58e0b5dafb96
SHA256: 09768b3fa78767b0dffe7fdf078b3abf185423c61cb00ab7582c7b3c01bfa6c4
SSDeep: 12:cEa3hIWKDJjLIpywE8SvH3FXRA3nYkJSCFbq4c4q2RWgFrxcbWm/oOUgn7Gl:43enIcxpATlbqKqTyTv 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6 1.69 KB MD5: 4ca06ebb4c4806d0e8b7426845554884
SHA1: 16680f60555e56da175701032247bbdf3c737760
SHA256: 4f49ff310e5112ef3b0681e6d26aae8b918e358a2d0b12746a9878ca255ff69a
SSDeep: 48:sodlinVUN5eW4VusoYmPZnz/G057kBQl63Zb:sovinSr6pAnjG057KQgN 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398 0.69 KB MD5: 62f726654dc966ed03da6c72824c206b
SHA1: 5d9d2af62feb7907abad7d2781426b205064c2ad
SHA256: 2cdcd962aee2781ebc23f1a976796d384abb9b305bbf9ae779ea7fbf68c5af5c
SSDeep: 12:klD5l+i80ucp8ROGQcrw6NVQThOT+CdUKoDr0Q8vRBxIUpIAXBAyo4n:sPGV7R3RQNO7SKoDQNpu4n 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61 1.67 KB MD5: 57dfdf6bc328d8ebd9b6ae921ab22dc4
SHA1: fdbfe75937ee14f4539aa99b7e96ac65a09446ec
SHA256: 3fb75395c4b3f4d087bfc6ea506d2266af47aac5c93aa62950dec34836164f0f
SSDeep: 24:BWNZpJtShk2j4JVk5ydNG/8PISgAoY7MQG7xe0XM+XpAm3fhN7PGYhO7NsYnlBUr:+1lVGv9+GvXZAmZ8eN+l+r 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 0.66 KB MD5: dca5f9e9e5340e2bc0bbda530976d71a
SHA1: 48fcb37bc0ad298641bda58fb5498e0353cb1e2f
SHA256: af3ee2418e93b2f5b839e8aa193c1df004d698d59356af524e40703c055a8348
SSDeep: 12:ZAQI/7gUCNSPnnYSKOX/aNLp3wCFeB1uNuMrxz9xg2vhYBzmQiP:+QIz6UnY5PX3oBgNVhgiYBzmv 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9 1.75 KB MD5: aa333346327b9ada58699cf936aaa6b9
SHA1: 0605c3956522e8a6e689c5dcc0170e13bc3a3e16
SHA256: ba09a56dca04f4b0c62dcd4795cf827e154816365b715d697841bc3318437d1d
SSDeep: 48:GyiJ8G57Vb0wmESg2qLmZSWd0Ia+w7FgkaVukVrN:g8G5t1mESg2qL6S57mdV9pN 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\4g1U.gif 73.53 KB MD5: d8e963074982ad8dcae0714f9565abfb
SHA1: 554fbede191db84356b41db3ebb516a6bf50f7c6
SHA256: bb3242a32f96e04c555237ad9a63d1a25c3d2a3693e3577bb3f9b77b81381b64
SSDeep: 1536:QyVznW1WhLRJWa2bNuSlZGH2SYsVH+QwvX14jba60Cq43Ji/5yxjaYOl1ooJYk6:QydW1WhL7DZOZjgH+lvQuEqUiwxjm76 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C 0.69 KB MD5: 2db966d5262e4f444d61df7f68c6cecb
SHA1: 529fbea6f9976716aea3d33f84a0f44338e22e26
SHA256: 278054bbf841fb494492a3b56c4b8d6ab9cde208c6f5ddcb20f7fdcb46899bf7
SSDeep: 12:X1pd4OFc6cxqQvWbqEirWsg1DwKfMriWEH8xW5500pCxOK4Qp99CE2fKXJ3QAFzc:XHd4OFc6cxqwWbag19MriXHdXEgQp99U 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Fn18QvLhrLaviua8VE.swf 97.47 KB MD5: cf75e660ad1be3a02d3b74657165ff47
SHA1: d406508751be2ed1adb35d89d2b24c8c84eab97c
SHA256: c3ae52a13b476e161e2fd1bc57584e764ab31ec46e8ecc57bfa0fc3d2cba4ec4
SSDeep: 1536:R1LpjLXpWdpeaq8RFo1uIRTulOxCRxopW7gejvISGh8H2224ipEYp9AC:zF3Qrhq8RFllO0vH0ejASqseEYh 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973 0.74 KB MD5: 0b0ceeb951f5a6334a05efb0c2fcb11c
SHA1: 8a4eef0f0b491ded4a2ffb69eac4d07707fe427e
SHA256: 9ab2f7f1fae6fcd99184591e4291585019204d5dbd5b58b3d70e913f33581308
SSDeep: 12:H/f2fw7bnvmKevVpMICRyg25OlDQFSu6MOif0iAUaY0ac5ZkGD45BKakR:Hcw7bJevnM5ygdi8ifTA9acK5BKaC 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\MS Project\14\1033\Global.MPT 381.78 KB MD5: a12ded158a03289ca9459e10a6d2d003
SHA1: 2ae513c0d392a4d9b0291b84270d789427b8359a
SHA256: e43c4f0301e51d88df319cb13f472a56f973a347078f73cd11d3b31e29314428
SSDeep: 6144:ris7O4zIXSLtZ9Nbq8cKEDElVHwqYQbOlokp5EePwXUT9rhvM5Ln7Gf3B9aYV7y2:rE4xf9NG8cGEloUtPNhM6pMW7HF 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D 1.66 KB MD5: e3afc148c69b220d4ffb246126e170d4
SHA1: 026d78dee8752d73519b9d7a2db50a7b1976446e
SHA256: f11683de80ead230b6262a5409a06298bd3e44846f6912b0ae83077e32438cc3
SSDeep: 24:xWrk72ttjRvhNLC1vw6VcbhaR4m1lgzO5J9HNajfzeQiBCspBSV7uRGRX0Nnxprb:XcDLCoEccmb6b9kjr1spBHZxvCG 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\PNHi.csv 46.03 KB MD5: ffa940a757f6891644fd1c15987e9bd1
SHA1: 77609ce419cb7c943ee823c16be12443333f536a
SHA256: 305db7944ee02dff7c49d81d637916fa72c34b4c2158b49330bd4e6371f329b8
SSDeep: 768:dqnXP5BE61UPpLcPQIhu45T26WkTnksEUwSCSIoYNUFfLWOOrJKdtt7i+XXq9Jak:d25WPpR45W8nksEUTu3KW7JKR7i0uMzY 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\06_Pictures_rated_4_or_5_stars.wpl 1.05 KB MD5: 59e32286d6a0c6bbc3904bef2d6c8f93
SHA1: b92b8b952d1d5bb530353c44dd0e2c5236c82791
SHA256: 66ce3a08fd7fdfb4f0e911299a144d443e9c0da96aaffe580fb520c70337caf3
SSDeep: 24:FqkZSR/2SlSgU/fozGbfCmoeVrixvJLckgg34d4SzP5:FqYKe3gU/QkqoiHLcRgxSL5 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 0.49 KB MD5: 1f1192b968b5cd8158985628cec0243a
SHA1: 11812d4d751532de079e4b44bf4fb14928fabbe4
SHA256: 60985279e4de4a47eb188bef0348db4739c974e3e2cc862bbfd52f964c491287
SSDeep: 12:hB4xYm4mMTVMZsnSo2KI9zIWP0h03mq0YPiIeLabCNkdlbuM:h7e2So2D9zch8gYaIeLe5 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\yhE-03.pps 25.61 KB MD5: ec11e3b8053283bc9c280693fa2bd439
SHA1: baf1bc0f751c9ba89cb996c50a17913382ac77bc
SHA256: 2c66a19de6dc88d245f6580aad5bc45efa7dc52607bdfa34ba4d1643653f6c75
SSDeep: 768:E9EtlvMUcGsXoLznm62b+YACwRLM+kEvYC+:E9nGsXoLzm63YACwRwEg 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD 1.06 KB MD5: 6c7c99a60941b9eaceb6d786d04f7567
SHA1: 8bac6f7379b4a7ca8605389f53b65e005cadffdf
SHA256: 85850fda282d7b561a81e8fe0c8a7ac5e1c415153293173ef8691d0d8346bc8d
SSDeep: 24:hpQ3U+vpuXbYcaea/506kizAAMJAXbpwE/YkiZC8316Y:fB+ikrem5nMAI4lwqYxdh 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\VGMTOI09\www.msn[1].xml 1.10 KB MD5: 656542ece5f1bc199b06acd04d2a89f1
SHA1: 3563f2b364883292917eeca8965ca0d6bd928627
SHA256: cf93c63004db18d47e48762bfde4c0f53f521f44919ad89b960ca5df1e72a65f
SSDeep: 24:1optkXrf2EjDpQzCZ1EVz2ywadXJJSnmiOEXCWqf7Vpl:apterf2EjVLZ1EJfSnmi1e7Dl 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1 1.85 KB MD5: 5b33a08150baad51f173a3368a217931
SHA1: c9d3d2157dabb8272a5b2727c785f89d060f2eda
SHA256: 15293eac3ab095759bf587c9eef5e593c01c96eb9831235ce82fc8c8cc81efa7
SSDeep: 48:OvhtMY1jHn4e5gLqK5iMjA1Ec3tuFPN0sBf3enD7OzkaIB:WtZMfLaft0BeWzkaIB 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\YYEW1wYK6Oxi.odt 57.69 KB MD5: fa89d8996395be9d409bdc577421b41a
SHA1: 5e0f7843851bc0f0374f3eafeacbfcce627be4ff
SHA256: 404018b34facfbd7cfbfa977e00dde770ff2b1f735b7093bd9f88faac3e4de58
SSDeep: 1536:mVlp4VT19Qj1xLG0SJ2ebuapHZyJQ4lrnsSe0DWtTIHw6:UpsU5xKjJ2e6apHmQOsfntT0F 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F90F18257CBB4D84216AC1E1F3BB2C76 0.52 KB MD5: 08a67321a8782e2b1af75e8dda89dd10
SHA1: 435b45ce68eb88624a4d0d566d80cdd958843a3d
SHA256: 26c62bf57dfe0fde5f7de92e90755d585ae844424ece49d2b2fd03d1e9d00738
SSDeep: 12:m2dPaxNdV94970Wkg62ACPIJ7DglSxur6MOPkvigtEiDB:ddPSNdV98wW/62ApdnPkvLEgB 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\nMUAm.odt 47.17 KB MD5: f0122351a5ba8c72669d48a81c8cb37e
SHA1: 235c3a89e66ce3fb565b187d02b67016b6c5a74d
SHA256: b4d6caaa3bff8aec23c9c0a85fbfb8a91dc15e28dad7aa8643adb59921374d7e
SSDeep: 768:FOcxVP9F0RbkBK1xcAVn84dRvkx3HJIDTMNyNGAs4kHf2NTrHnQ3IsDBg3kKeYyO:kcT9F0xkKKodo3pdg84kHe1rHKzBgTyO 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 0.71 KB MD5: 2050444324bacef218c74746808e77b1
SHA1: 6edac18241094fd6f466593994467c350c2065a9
SHA256: 528f2d0fc28e499d90f2a4f808c8fc07514b7f4edcb7c029a3df6eaa9416ecdd
SSDeep: 12:XvSD08eLMdpIQi2St0Vvq3LDYN0mE20/HwqCyOyzVYzdTHC7E+uIZTcJBETG8vNU:XvSdeLuy+SQN080I5y9YJuVcOG/ 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77 0.99 KB MD5: 2a84247f70c03422dcdd8b214c133c4a
SHA1: 803ca94beee68b2db998f2f4f1d1f998fa038fb8
SHA256: cbb9b16e72c5ab06cc2775f29f30f43e3796342ac5693adfca855c417b9b11b2
SSDeep: 24:5Zp/4ZALMxKjCLSprMA2bBoPMsZkADMkNzjDn:5ZR2KWLSprMA2VopkADMyP 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1DAF2884EC4DFA96BA4A58D4DBC9C406 4.05 KB MD5: 8a3261fafa210209615684d06ae0e88c
SHA1: 30cfef2cd1cb9402fd7ceb458c24d9e5b4b8deb6
SHA256: 0dbdccd251acf246f086744d5e51659811a5f0d1e1ffe52e427bc8850ca2c418
SSDeep: 96:zl7SJiTGhFvtj/D1SQS30Z5IUZ7Y2VVXMv12noZV2iKLoSx:Y2Kt8l+xZdqAob2iKbx 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect\S-1-5-21-3388679973-3930757225-3770151564-1000\2be989a0-16a1-424b-9211-51aa3bb43e5d 0.74 KB MD5: f335f5387594293d98b100c49018fa06
SHA1: 51630f24b800ed251e4e77d39269f325d7e7964c
SHA256: 84c3c526fe1e96b25602dcae74ffc796537ae9e6aa1a9269787b4d827e21927d
SSDeep: 12:WRn54wHwdxjR2SHeo7ftxGFiCaxSA4rwbS8qPGKLH8VFbP5O/faXWZaHAePPnYxP:mQR2c761aysW8LbP5iZaHNPAVjDXJR 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873 2.00 KB MD5: 060fed4263a34c88d88dafe86883d7c8
SHA1: 30be1de838b7869496b4765b1a86aa496d811892
SHA256: a31abd59c7f3e8f45de526be4b827b8fbd7f2f099d17254470e88b5a1ccfd11b
SSDeep: 48:Dfm38pCFZ3njl9/5pw6RIuC4q0yTitX+S48IEeL4f:jm35F13kFSX7IhLC 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\5YfvWxaryGU.mp3 53.86 KB MD5: b4c2f0c4e70673a64a6728239ed380f7
SHA1: 1d989c9aea6febe130db76da13d104811070c5c8
SHA256: 4fd1f618ff954b7be1e63767e20fc308eb70b4a0576ede6bdf3f9a637dc9cc87
SSDeep: 1536:tgKRmDM4UPCRWEpPpeclv/nM/vpS4EYNVdCYc:tgKrEp8EnMZhEYNVJc 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml 0.44 KB MD5: fd624955d176390568536b3b7ea46b90
SHA1: 6fee48f445a418864dca389f862b13fb4b6d99d6
SHA256: b3ab3dd24f238a487978c88ddfd4c0fb936d7043307947c6fe6d355ad7e3600c
SSDeep: 6:sq4+XrdVYrz88vZFtr+u/B7guzEgQvlJGCzm9km3J1VkCTaAJgSAN+6xTFE6uYyz:Z7s0W13JkZrvHGCUp3pBgbIjYyEs 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C 1.88 KB MD5: 2176e990d66bcd5edb8231e59020b4f3
SHA1: c5bd431025ce2f74796c3224e7d57017b8d4299b
SHA256: ae66f70c285586c9bdab91106a93a6be0c91a4b0504a98b5c1318c066721c49d
SSDeep: 48:Eo38Ov2MILZM4jJHjaG2TSPUK8eR+4FUuqZ5DylylR41GTpg:P38HtjJDB2TSPU8fFPq7DrDWGTpg 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\jSxMVvO-8dbyb.bmp 82.03 KB MD5: 79da33d100cd46cf95272b04c01db3ab
SHA1: 21250c43afd04ea0c298eb44ad9f01eb7a6c59f4
SHA256: 855996f166d85c55be875a1cf31bebb521b12a0ce2e2b392931e9a18fac8cd22
SSDeep: 1536:L1aJ6W/6ivvpGVX32dIKRFNhW+paP9OwP1DMOYq+YPUL6CpBDDrOVjCro2cOKbZF:hK3iivvpWmuKfNQ+paFVP1QO9fP4hhrW 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\st75Up-pL3swxSrsi.jpg 24.94 KB MD5: aa234998a30879a6594bb6b71102279c
SHA1: 14004a86d5c7d23fa3dfeacd3e73d68a042e8036
SHA256: dff1da72123b8fc057bdb10b80e84c3fed29b208576e0268829155b9de460dfa
SSDeep: 384:Je3eRCRwxCDxlhxCTwsMgBRvVpEvWh1cVMcPxwWikZosPrAdvl7G3z1G:Je3eRCRwxCDx5CThfcvWhquWikIT4z1G 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\06_Pictures_rated_4_or_5_stars.wpl 1.05 KB MD5: a01e514f0b13defc14c0207873fa9b47
SHA1: a9c6ec379300ae20135232afbf2d63db5cd50cdf
SHA256: 3d31a0d4e9b4b2a4fb97baf172a5a57ef77e2c644a26787d88716412b0cc1a84
SSDeep: 24:stsnnNkHPGOBt65eAO36zEWO0J9KfjZf+I/9TN2gTb5vp8q:s2ndOaP66W0J9KLJVNvFB8q 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat 4.78 KB MD5: 3d5ac8a73bb94e7a83a8c860e04c692f
SHA1: 5dc2951efc58c4a96fe991926f7077a388c0dbd9
SHA256: b03df0348f3cfb4c22d14639f522001bfde32b0ad5e7bb732dc2657cb815693f
SSDeep: 96:aSJNr1WNt6OAphosPKAc3p49eywOtHiDsFvRp3zraR38ouJQ/loh:ay1WJg5KA+GDwOU49y38XQNoh 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E 0.66 KB MD5: 4b8959fcb833c482e7dfc6e6804b4453
SHA1: 9820256f030ddaf100186c499c74294eb03b591b
SHA256: dd4fe1d40bde018d556105931d5a4afbcb1fb4f152ba54dfaf3184b6a695b2f4
SSDeep: 12:qM2R2MzFK4OLuunFAgDW9XiGJFR5Z12Q/0QkqsQIAua/9nqqgda8K:Y3A4snGgDW9XiaR12OvkqsQIg9nqHK 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect\S-1-5-21-3388679973-3930757225-3770151564-1000\42d89ab6-6f5e-4463-92e1-18d8b8614c36 0.74 KB MD5: 764270643a9c8f57d83edbf0ec4ee5c2
SHA1: 2246db8340d32f589f3b8c6bf2b8b8abb0058fdb
SHA256: 423137d841de0b91d25e5a97bd8c44ada4a98cdf0619bdef1dfc5c6ebc83a282
SSDeep: 12:b8V1rpzA+0hTNN+BhXm8b564YHoYwx4SzwmeLbMcoE5TmYGHhM1pptP8aQLo:yq+0p+9m8b564YBoe+E5icp98ZLo 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl 1.19 KB MD5: 78fd4f170d02be5bbdd8c10302fa2f2b
SHA1: ecddc21f093b0f73bb0afdc7a398fe2792b05bf4
SHA256: f50ece61ba8263747b2906025fea27e4488cf0a60d632815b048c093ec6868b6
SSDeep: 24:YS7leilrR91yMT1jDWordZC4V2TV+fe2kIImSg2qEuYbjDxMRL:YS7IwHgYZDWQ/V2JseeSgzEuOjlMt 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat 0.53 KB MD5: 6ee72b24b99473f0ad36b2160e80edef
SHA1: 95089489e20d90401ce8c284b09a902605f409f6
SHA256: 47861dd9332d554fbf9512330b2778ee0931154cff3bed64f1e690f8b8a07a0a
SSDeep: 12:Wy4D+KSj/POv3ohxQM8y2cA3e3JFQolXDG68AIpD6jtoQ7VeLC3zS4Q3:1iSjnw3ecofV5GrfD6Zo+sizSF3 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.cab 568.38 KB MD5: 7ddd444e2f5a721b711d6c6f22a0ea4e
SHA1: fbe0cdda76e933d1020df92b573703fc47c104cf
SHA256: 7ed28a1cf35453f8290ac04b4d61ea050d023119dbf13c6f26389e05dec2f6f1
SSDeep: 12288:5/NigZPVyyZdSQHKq+1ycAySCeA8ANbD8cAGxedUtnbzj0hX55:FpPVyyZdlHKq+1yxj7kNv8VQnnIhX55 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\uQ69YqY2.bmp 57.42 KB MD5: 37034e038616c9aae1696bea63e85b68
SHA1: 06e51946aad80855a14981bed8a91804327da8d1
SHA256: f03eb23cddb06d546f72a45dd7efd00e9b65d160f3c30380b638217ee147befb
SSDeep: 1536:rDpB8xsCsjMUvr9qpDl0YqrFdsvz9MLZgTNRvDLRK:vpBCVUvr9OWrFd8uZgTr4 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Outlook\Outlook.sharing.xml.obi 0.46 KB MD5: d0c7b08e350f87eb7224e7869947a5ac
SHA1: 9ecc6bc8b26887615c9fac09cb126c938952bf35
SHA256: 9b75ceadf4af1d17e2b9c1f09f4275813fc8edf3a4a7f6c2e92cb9c5d13e51f0
SSDeep: 12:sCIi8b1VIDkucy6zWI3m3UVuTmHcWBc8q4v94PXou2eebRppZQ0m:sCI5M4u0CAwUVUwcWWZ41UBebRLK7 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E 1.86 KB MD5: 2ab41bc0bcc92123bc77f9b6dcd32b32
SHA1: 7b3fd19c838edd2a1bd1a3e19a2ca6f13b2f6c6b
SHA256: 98d0ed8b365fc9b632fbb98d191d04340068c1f4445eda3bf55989e646aa959f
SSDeep: 48:ywM6B0acNX5qkulfghEMwI7Y4yKGwaKi5eqc3BXe+/3GLg/:xMiWKDlYGZIM4reA3Ku 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED 0.72 KB MD5: 1ba9c84f6ad560ce46c454572a4cd41c
SHA1: b3f6fd3a999ec8f2fce18acb953e24e61d915dd0
SHA256: 9f943a03e251199af5490eb1b15d5d6eb6b9e80cc8832e5285e44a49f1604dfd
SSDeep: 12:YVMkmS2ssJsuVX9DaUfc96eik6ffGVxzdwWzYo9ZqypXePJKOoa0:p5SXuVXQIc9ZifQVdz8EZqypAor 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\08_Video_rated_at_4_or_5_stars.wpl 1.27 KB MD5: d1f78fb94f1e5fd7fb632aed1b4e4081
SHA1: d15f7f1380cd1f24c6331c8f3c88b058ec591208
SHA256: 8d61ee11bf8a753923bb6d3f2ab8cb24fc2e99139455d9894b07f5a1a87e4501
SSDeep: 24:fhVvzj7VLHvucXJXWdHSKZLw6/I09qfaaEfT1i7aZ22o3QEIL7kzT:fhVvP7VL9JX8Xw6wAqEfZi7j23EIWT 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3388679973-3930757225-3770151564-1000\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f 0.36 KB MD5: 5ea31c8fc8ce594e9ea47727823bdc5e
SHA1: d41f16fefa23572aac864c2f227375a92ab94fe4
SHA256: a557591387b92b5e8e491b3dce8763fadee39a7ba301d4ab703c02fcffacf502
SSDeep: 6:ZSX5Nmp6EHa8R+fQnmmPwX9eeARTKUItbhKhPHsAJl3ncI0CP5eC4Osp/LLEpzcU:A5Nmp6EHV/mmPAAUhczYC4b/LLmN 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4 0.66 KB MD5: 4a59f758ee88a4a3fabb64ed254bf3d1
SHA1: e4e3019f54a989f6087216ff493eafbf74075d12
SHA256: dadcd865091e9f4d61d9e9d9f7105e49de3507a1d98f68afc51c8c9b3422ca26
SSDeep: 12:gIZpZ1nsBi4sKjhjQKfUk/djjLomYByTxAl1FNJAEtfYon0iv6g6V6MM1VpxIin:7pZeQtKtnHLomkHvznDvhnMkVpRn 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\07_TV_recorded_in_the_last_week.wpl 1.30 KB MD5: 7cf929d856ecbf8d659d9debfd1c137a
SHA1: dbcbe6bcdc8a24d80f1fcbbc3e2ab9b40c183762
SHA256: 840c58787f4275fc501235e01b043941c29f193c2ce48a11c4f79c5a8c015ace
SSDeep: 24:2+LB/xI+02idSZVqkydnYFco7dJSFnBK+bjSjfEpjmL4dtxF6KOkRPGHKYaI:FIDSvbYKhmFnB1SEpjg4fJjPGHK4 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol 0.74 KB MD5: c449c9fa47f55f6831b1e874f0f26afe
SHA1: 570ee687025b4544b10f14fecc961e22ed979c08
SHA256: a88771a0feff1ca694e66729e5f0e1c0b3a552b223f3745884ccfd38e1d716d0
SSDeep: 12:PGabDQMCLTKxWKkgd1lVSh/clA9QSJd42wgsl9gA3FSR9HP+wsHkM8NOvxWh:itTKx2gd7sFdQS42w1/xa+wsIUS 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E713\11_All_Pictures.wpl 0.85 KB MD5: ed839c97847bf86ef95975df69050195
SHA1: 40e2d6c1cd047f84896cdc008e626b68fcedaf9a
SHA256: 231da351c92a63816124d720abeec3a133a7caf1f4e04ecd33c6b08ae8f33b6c
SSDeep: 24:ZAd8/e5D/JTtQjgxIVgQ7Zn727ZUdV2k/qeqbPo4h:Ij5D/JTtQc+CkZn727OdVGHt 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852 1.86 KB MD5: 14e49d30de111b46d8e69257931a1146
SHA1: 1e89f7a743b416a4863847bd3f24f9629218c698
SHA256: c1d50ea938ebf9ab52eca1c1691681f7778a63a3b095db010d62c1457fdb722e
SSDeep: 48:3rrnwa31XjimDgVprqlr0GDoNFQiUJ+fe4:brnwa38pQlJIfj 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\xzV1gkMa6a.ppt 8.31 KB MD5: 73e0cddd23b9457f91650e8729cf7776
SHA1: ec3d3bfbcf1397940bd7a4dea61b986260d2ca6a
SHA256: 754fcbe0a7be9c2dd6eb03c72861a0764def59ca3bb9e844af14a392410e33c5
SSDeep: 192:pft+xF7YvSHcpxYi8IANhoArnhyNe3EU7DSmN1ky:psxF7YvNY7xhoVNe0GPNWy 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE 0.66 KB MD5: 5b9cbccda1564c413bfd4458f961d465
SHA1: df1de871d8237a3dc1529dd45abfe667ad71010a
SHA256: b294fec0a97222d5b9b52a8a00e8df67e5ee99af5619644dee7fe738815c5118
SSDeep: 12:CUwCSMBKSJQr+DsYPQxVH5+q0TTllRKxSiSlEwpzNRyBOMmizZlxCG+sRHx5l:qCJM+QaDs+Yo7TThKHSlxhRyB3xZrCo9 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 0.61 KB MD5: dde74472ab6e3a5a1a2767682951f21a
SHA1: 226a7d5acfb8c39513b70443d95679e177b0a65c
SHA256: 75576f06e4bf9cd5dea4cf80190edfbf00f5a2eefe7c0b8f3e6208c6892b8042
SSDeep: 12:3+CfgrRpv1HfCnWiyDiaOY3/CGPsQtxjmsYStabhYTm/RVS:OWgdzfCW5DzCO3jgXWTmJVS 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect\S-1-5-21-3388679973-3930757225-3770151564-1000\29373454-3c13-4a27-aa0c-16fc0ac18343 0.74 KB MD5: 8dca5f73ed0a2ae0e2ee5a58e4438429
SHA1: 2744acff8887d7e417460b20e64e08623f9be93e
SHA256: ef882908c4ee6cabdfa98f802ea5a5f7255635e11717d720ca2902878d1f7099
SSDeep: 12:DsqHr/++tXgPLYjSzQKZQDv/SyDBKWA8UFsJoYZSRFUX4qSreBxzJau38rPaGrSJ:Na+BgzY7/ehOJHCGx8rCGrS/BWE 		False
...
Host Behavior
File (6097)
»
Operation Filename Additional Information Success Count Logfile
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN True 1
Fn
Create C:\users\Public\PUBLIC desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\users\Public\PUBLIC desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 2
Fn
Create C:\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 6
Fn
Create C:\Boot\BCD desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\BCD.LOG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\BCD.LOG1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\BCD.LOG2 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\BOOTSTAT.DAT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 25
Fn
Create C:\Boot\cs-CZ\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\da-DK\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\de-DE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\el-GR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\es-ES\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\fi-FI\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\chs_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\cht_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\jpn_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\kor_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\wgl4_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\fr-FR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\hu-HU\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\it-IT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\ja-JP\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\ko-KR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\nb-NO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\nl-NL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\pl-PL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\pt-BR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\pt-PT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\ru-RU\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\sv-SE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\tr-TR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\zh-CN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\zh-HK\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\zh-TW\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\bootmgr desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\BOOTSECT.BAK desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Config.Msi\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Documents and Settings\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\hiberfil.sys desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\MSOCache\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\pagefile.sys desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\PerfLogs\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 6
Fn
Create C:\Program Files\Common Files\DESIGNER\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 27
Fn
Create C:\Program Files\Common Files\Microsoft Shared\DW\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\EQUATION\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\EQUATION\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.CNT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.HLP desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\EQUATION\MTEXTRA.TTF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\EURO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Filters\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\CGMIMP32.CFG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\CGMIMP32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\CGMIMP32.FNT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\GIFIMP32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.CGM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.EPS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.JPG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.WPG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PICTIM32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\WPGIMP32.FLT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Help\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 38
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 10
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\MSClientDataMgr\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\MSInfo\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 4
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\ADO210.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\README.HTM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MUAUTH.CAB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 22
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\ExcelMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\GrooveMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\InfoPathMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OCT.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSCONFIG.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10O.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10R.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\Office32MUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.WW\Office32WW.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.WW\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\OneNoteMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\OutlookMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Outlook.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\pkeyconfig-office.xrm-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\PowerPointMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PRJPROR\PrjProrWW.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PRJPROR\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PRJPROR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Project.en-us\ProjectMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Project.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Project.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.en\Proof.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.en\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.es\Proof.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.es\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.fr\Proof.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proof.fr\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proofing.en-us\Proofing.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proofing.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proofing.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PROPLUSR\ProPlusrWW.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PROPLUSR\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PROPLUSR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Publisher.en-us\PublisherMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Publisher.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Publisher.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Visio.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Visio.en-us\VisioMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Visio.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\VISIOR\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\VISIOR\VisiorWW.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\VISIOR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Word.en-us\SETUP.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Word.en-us\WordMUI.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Word.en-us\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\PROOF\MSWDS_EN.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\PROOF\MSWDS_ES.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\PROOF\MSWDS_FR.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\PROOF\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 3
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\DATES.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\PHONE.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\STOCKS.DAT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\STOCKS.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\TIME.XML desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\BASMLA.XSL desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\METCONV.TXT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Smart Tag\MSTAG.TLB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Source Engine\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Stationery\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TextConv\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TextConv\RECOVR32.CNV desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TextConv\Wks9Pxy.cnv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TextConv\WPFT532.CNV desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TextConv\WPFT632.CNV desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 46
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\AFTRNOON.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\AFTRNOON.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AFTRNOON\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\ARCTIC.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\ARCTIC.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\AXIS.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\AXIS.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS\BLENDS.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS\BLENDS.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLENDS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM\BLUECALM.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM\BLUECALM.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUECALM\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\BLUEPRNT.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\BLUEPRNT.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BLUEPRNT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\BOLDSTRI.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\BOLDSTRI.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BOLDSTRI\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE\BREEZE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE\BREEZE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\BREEZE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\CANYON.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\CANYON.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CANYON\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\CAPSULES.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\CAPSULES.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CAPSULES\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE\CASCADE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE\CASCADE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CASCADE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS\COMPASS.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS\COMPASS.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\COMPASS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\CONCRETE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\CONCRETE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\CONCRETE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\DEEPBLUE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\DEEPBLUE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\ECHO.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\ECHO.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\ECLIPSE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\ECLIPSE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECLIPSE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\EDGE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\EDGE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EDGE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN\EVRGREEN.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN\EVRGREEN.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EVRGREEN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\EXPEDITN.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\EXPEDITN.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\ICE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\ICE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\ICE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\INDUST.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\INDUST.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\IRIS.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\IRIS.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\JOURNAL.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\JOURNAL.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\LAYERS.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\LAYERS.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\LEVEL.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\LEVEL.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\NETWORK.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\NETWORK.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\NETWORK\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\PAPYRUS.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\PAPYRUS.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PAPYRUS\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\PIXEL.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\PIXEL.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\PROFILE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\PROFILE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\PROFILE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\QUAD.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\QUAD.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\RADIAL.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\RADIAL.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\REFINED.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\REFINED.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\RICEPAPR.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\RICEPAPR.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\RIPPLE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\RIPPLE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RIPPLE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\RMNSQUE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\RMNSQUE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\RMNSQUE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN\SATIN.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN\SATIN.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SATIN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\SKY.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\SKY.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\SLATE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\SLATE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SLATE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\SONORA.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\SONORA.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\SPRING.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\SPRING.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\STRTEDGE.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\STRTEDGE.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STRTEDGE\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\STUDIO.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\STUDIO.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG\SUMIPNTG.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG\SUMIPNTG.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\SUMIPNTG\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\THEMES.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\WATER.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\WATER.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\PREVIEW.GIF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\THMBNAIL.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\WATERMAR.ELM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\WATERMAR.INF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 7
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ARFR\MSB1ARFR.ITS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ARFR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENES\MSB1ENES.ITS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENES\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENFR\MSB1ENFR.ITS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENFR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.ITS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\WT61ES.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ESEN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FRAR\MSB1FRAR.ITS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FRAR\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.ITS desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN\WT61FR.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\FREN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\MSB1AR.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\MSB1CACH.LEX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Triedit\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\FM20.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBCN6.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBENDF98.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBHW6.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBLR6.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBOB6.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\VBUI6.CHM desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VC\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VGX\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\BIGFONT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\CHINESET.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\EXTFONT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\GBCBIG.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\IC-TXT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\ICAD.FMP desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\WHGDTXT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\WHGTXT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\WHTGTXT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\WHTMTXT.SHX desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Visio Shared\Fonts\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VSTO\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Folders\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\1033\FPEXT.MSG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Services\verisign.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\Services\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\SpeechEngines\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\SpeechEngines\Microsoft\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 6
Fn
Create C:\Program Files\Common Files\System\ado\adojavas.inc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\adovbs.inc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\System\ado\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msado20.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msado21.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msado25.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msado26.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msado27.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msado28.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msadomd28.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\ado\msadox28.tlb desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\msadc\adcjavas.inc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\msadc\adcvbs.inc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\msadc\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\System\msadc\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\msadc\handler.reg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\msadc\handsafe.reg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\MSMAPI\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\System\MSMAPI\1033\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\sqloledb.rll desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\audiodepthconverter.ax desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\bod_r.TTF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\directshowtap.ax desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 2
Fn
Create C:\Program Files\DVD Maker\en-US\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Eurosti.TTF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\fieldswitch.ax desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\offset.ax desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\rtstreamsink.ax desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\rtstreamsource.ax desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\SecretST.TTF desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\Common.fxh desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DissolveAnother.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DissolveNoise.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 16
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_matte2.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\curtains.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_rgb.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\circle_glass_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\DvdTransform.fx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\15x15dot.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\full.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Full\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_mainImage-mask.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIconSubpict.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Subpicture1.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-over-select.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\rollinghills.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_videoinset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\pushplaysubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_item.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Push\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\15x15dot.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_babypink_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_postage_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_specialocc_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_travel_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_widescreen_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\scenesscroll.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialoccasion.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\RyukReadMe.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\SystemCertificates\RyukReadMe.txt size = 802 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\SystemCertificates\My\RyukReadMe.txt size = 802 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\RyukReadMe.txt size = 802 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\RyukReadMe.txt size = 802 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\RyukReadMe.txt size = 802 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cFa kH1z6.m4a size = 62800 True 1
Fn
Data
For performance reasons, the remaining 2490 entries are omitted.
The remaining entries can be found in glog.xml.
Module (78)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76aa0000 True 1
Fn
Load mpr.dll base_address = 0x7fefa550000 True 1
Fn
Load advapi32.dll base_address = 0x7fefec60000 True 1
Fn
Load ole32.dll base_address = 0x7fefe670000 True 1
Fn
Load Shell32.dll base_address = 0x7fefd440000 True 1
Fn
Load Iphlpapi.dll base_address = 0x7fefa5e0000 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x76ab7070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x76ac2dd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualFree, address_out = 0x76ab1260 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptExportKey, address_out = 0x7fefec68140 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileW, address_out = 0x76aaad90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDriveTypeW, address_out = 0x76abbdf0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineW, address_out = 0x76abc480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoW, address_out = 0x76ab8070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileW, address_out = 0x76ab1910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualAlloc, address_out = 0x76ab67a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7fefec6dc20 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x76ce40f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64RevertWow64FsRedirection, address_out = 0x76aebb30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessA, address_out = 0x76b38840 True 1
Fn
Get Address c:\windows\system32\iphlpapi.dll function = GetIpNetTable, address_out = 0x7fefa5ee558 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExW, address_out = 0x76aad910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64DisableWow64FsRedirection, address_out = 0x76aebb40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemDefaultLangID, address_out = 0x76aa94e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameW, address_out = 0x7fefec71fd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadFile, address_out = 0x76ab1500 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7fefec7c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x76ac2f80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegSetValueExW, address_out = 0x7fefec71ed0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7fefec80710 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileA, address_out = 0x76b35620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesW, address_out = 0x76ab37a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WinExec, address_out = 0x76b38d80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDeriveKey, address_out = 0x7fefec9b6b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptGenKey, address_out = 0x7fefec619bc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Sleep, address_out = 0x76ac2b70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x76ab5cf0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteW, address_out = 0x7fefd45983c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSize, address_out = 0x76aaf9d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalAlloc, address_out = 0x76aa80c0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x76abbd60 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForMultipleObjects, address_out = 0x76ab1170 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x76ab64a0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteA, address_out = 0x7fefd69ec80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x76ab65e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameW, address_out = 0x76ab7700 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x76ac31f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSizeEx, address_out = 0x76aa9b30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x76ac35a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalDrives, address_out = 0x76aab930 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetEnumResourceW, address_out = 0x7fefa5541a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExW, address_out = 0x7fefec806f0 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetCloseEnum, address_out = 0x7fefa5542dc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x76aa82b0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesA, address_out = 0x76aa2d50 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7fefec7b5f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointer, address_out = 0x76ab1150 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount, address_out = 0x76ac2b00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesW, address_out = 0x76abbdd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileW, address_out = 0x76abbd80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextW, address_out = 0x7fefec6d98c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MoveFileExW, address_out = 0x76aa3060 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetOpenEnumW, address_out = 0x7fefa553e00 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoInitialize, address_out = 0x7fefe68a51c True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDecrypt, address_out = 0x7fefec9b6d0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptImportKey, address_out = 0x7fefec6af6c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointerEx, address_out = 0x76aaaf00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileW, address_out = 0x76aa92d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x76ab6620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessW, address_out = 0x76ac1bb0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateDirectoryW, address_out = 0x76aaad70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThread, address_out = 0x76ab6580 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyKey, address_out = 0x7fefec6afa0 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefe697490 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileW, address_out = 0x76ab1870 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesA, address_out = 0x76ab13e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptEncrypt, address_out = 0x7fefec9b650 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegDeleteValueW, address_out = 0x7fefec6bbb0 True 1
Fn
System (7)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 1
Fn
Sleep duration = 1000 milliseconds (1.000 seconds) True 1
Fn
Get Info type = Operating System True 2
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 3
Fn
Process #833: net1.exe
17 0
»
Information Value
ID #833
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop kavfsslp /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:21, Reason: Child Process
Unmonitor End Time: 00:04:22, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xe9c
Parent PID 0xaf0 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9F8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xffc80000 0xffcb2fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xffc80000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:11 (UTC) True 1
Fn
Get Time type = Ticks, time = 86658 True 1
Fn
Process #834: net1.exe
17 0
»
Information Value
ID #834
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop KAVFSGT /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:21, Reason: Child Process
Unmonitor End Time: 00:04:23, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xec4
Parent PID 0xcf0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B00
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
netmsg.dll 0x749d0000 0x749d1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff830000 0xff862fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749d0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff830000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:12 (UTC) True 1
Fn
Get Time type = Ticks, time = 87204 True 1
Fn
Process #835: net1.exe
17 0
»
Information Value
ID #835
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop KAVFS /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:21, Reason: Child Process
Unmonitor End Time: 00:04:23, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x848
Parent PID 0xa54 (c:\windows\system32\net1.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A4C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
private_0x00000000004e0000 0x004e0000 0x004effff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff830000 0xff862fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff830000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:12 (UTC) True 1
Fn
Get Time type = Ticks, time = 87251 True 1
Fn
Process #836: net1.exe
17 0
»
Information Value
ID #836
File Name c:\windows\system32\net1.exe
Command Line C:\Windows\system32\net1 stop mfefire /y
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:21, Reason: Child Process
Unmonitor End Time: 00:04:23, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xdd8
Parent PID 0xde0 (c:\windows\system32\net.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 608
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
netmsg.dll 0x749c0000 0x749c1fff Memory Mapped File rwx False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
net1.exe 0xff830000 0xff862fff Memory Mapped File rwx True False False -
ntdsapi.dll 0x7fef8b80000 0x7fef8ba6fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
browcli.dll 0x7fefacf0000 0x7fefad01fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefae10000 0x7fefae23fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefae30000 0x7fefae44fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefae50000 0x7fefae5bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefae60000 0x7fefae75fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefb6f0000 0x7fefb70cfff Memory Mapped File rwx False False False -
logoncli.dll 0x7fefc2f0000 0x7fefc31ffff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefca00000 0x7fefca22fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write STD_ERROR_HANDLE size = 30 True 1
Fn
Data
Write STD_ERROR_HANDLE size = 2 True 2
Fn
Data
Write STD_ERROR_HANDLE size = 52 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Load NETMSG base_address = 0x749c0000 True 1
Fn
Get Handle c:\windows\system32\net1.exe base_address = 0xff830000 True 1
Fn
Get Filename - process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Get Service Name database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:12 (UTC) True 1
Fn
Get Time type = Ticks, time = 87095 True 1
Fn
Process #837: taskhost.exe
95 0
»
Information Value
ID #837
File Name c:\windows\system32\taskhost.exe
Command Line "taskhost.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:21, Reason: Injection
Unmonitor End Time: 00:05:05, Reason: Terminated by Timeout
Monitor Duration 00:00:44
OS Process Information
»
Information Value
PID 0x4a0
Parent PID 0x1d0 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E98
0x E80
0x E34
0x E90
0x E38
0x 77C
0x 6E4
0x 690
0x 594
0x 590
0x 58C
0x 4C4
0x 4BC
0x 4B4
0x 4A8
0x 4A4
0x 9D8
0x D6C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
locale.nls 0x00040000 0x000a6fff Memory Mapped File r False False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory rw True False False -
pagefile_0x0000000000130000 0x00130000 0x00131fff Pagefile Backed Memory rw True False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x00340fff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x00350fff Private Memory rw True False False -
pagefile_0x0000000000360000 0x00360000 0x00360fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000370000 0x00370000 0x00370fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000380000 0x00380000 0x00381fff Pagefile Backed Memory rw True False False -
msutb.dll.mui 0x00390000 0x00391fff Memory Mapped File rw False False False -
private_0x00000000003a0000 0x003a0000 0x003dffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003e0fff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x003f0fff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x0040ffff Private Memory rw True False False -
pagefile_0x0000000000410000 0x00410000 0x00597fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005a0000 0x005a0000 0x00720fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000730000 0x00730000 0x01b2ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001b30000 0x01b30000 0x01f22fff Pagefile Backed Memory r True False False -
private_0x0000000001f80000 0x01f80000 0x01ffffff Private Memory rw True False False -
private_0x0000000002000000 0x02000000 0x0207ffff Private Memory rw True False False -
private_0x0000000002080000 0x02080000 0x020fffff Private Memory rw True False False -
private_0x0000000002100000 0x02100000 0x0217ffff Private Memory rw True False False -
private_0x0000000002190000 0x02190000 0x0220ffff Private Memory rw True False False -
pagefile_0x0000000002210000 0x02210000 0x022eefff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x022f0000 0x023affff Memory Mapped File rw False False False -
private_0x0000000002410000 0x02410000 0x0248ffff Private Memory rw True False False -
private_0x00000000024c0000 0x024c0000 0x0253ffff Private Memory rw True False False -
private_0x00000000025e0000 0x025e0000 0x0265ffff Private Memory rw True False False -
private_0x00000000026e0000 0x026e0000 0x0275ffff Private Memory rw True False False -
private_0x0000000002790000 0x02790000 0x0280ffff Private Memory rw True False False -
private_0x0000000002810000 0x02810000 0x0288ffff Private Memory rw True False False -
private_0x00000000028b0000 0x028b0000 0x0292ffff Private Memory rw True False False -
private_0x0000000002950000 0x02950000 0x029cffff Private Memory rw True False False -
private_0x00000000029f0000 0x029f0000 0x02a6ffff Private Memory rw True False False -
private_0x0000000002ac0000 0x02ac0000 0x02b3ffff Private Memory rw True False False -
private_0x0000000002b90000 0x02b90000 0x02c0ffff Private Memory rw True False False -
private_0x0000000002c20000 0x02c20000 0x02c9ffff Private Memory rw True False False -
private_0x0000000002cd0000 0x02cd0000 0x02d4ffff Private Memory rw True False False -
private_0x0000000002d80000 0x02d80000 0x02dfffff Private Memory rw True False False -
private_0x0000000002e50000 0x02e50000 0x02e5ffff Private Memory rw True False False -
sortdefault.nls 0x02e60000 0x0312efff Memory Mapped File r False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskhost.exe 0xffba0000 0xffbb3fff Memory Mapped File rwx False False False -
private_0x000000013f490000 0x13f490000 0x13f4c5fff Private Memory rwx True False False -
dimsjob.dll 0x7fef8130000 0x7fef813dfff Memory Mapped File rwx False False False -
npmproxy.dll 0x7fef8390000 0x7fef839bfff Memory Mapped File rwx False False False -
netprofm.dll 0x7fef8790000 0x7fef8803fff Memory Mapped File rwx False False False -
hotstartuseragent.dll 0x7fef9bd0000 0x7fef9bdafff Memory Mapped File rwx False False False -
msutb.dll 0x7fef9be0000 0x7fef9c1cfff Memory Mapped File rwx False False False -
msctfmonitor.dll 0x7fef9c20000 0x7fef9c2afff Memory Mapped File rwx False False False -
playsndsrv.dll 0x7fef9d50000 0x7fef9d67fff Memory Mapped File rwx False False False -
mpr.dll 0x7fefa550000 0x7fefa567fff Memory Mapped File rwx False False False -
winmm.dll 0x7fefa570000 0x7fefa5aafff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefa5d0000 0x7fefa5dafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefa5e0000 0x7fefa606fff Memory Mapped File rwx False False False -
slc.dll 0x7fefa690000 0x7fefa69afff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefa6a0000 0x7fefa6abfff Memory Mapped File rwx False False False -
nlaapi.dll 0x7fefa720000 0x7fefa734fff Memory Mapped File rwx False False False -
taskschd.dll 0x7fefa850000 0x7fefa976fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefaf90000 0x7fefafa0fff Memory Mapped File rwx False False False -
dwmapi.dll 0x7fefb130000 0x7fefb147fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fefb560000 0x7fefb5b5fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefc200000 0x7fefc246fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefc500000 0x7fefc516fff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefcad0000 0x7fefcaf4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefcb00000 0x7fefcb0efff Memory Mapped File rwx False False False -
winsta.dll 0x7fefcbb0000 0x7fefcbecfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefcbf0000 0x7fefcc03fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
shell32.dll 0x7fefd440000 0x7fefe1c7fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fefe300000 0x7fefe398fff Memory Mapped File rwx False False False -
ole32.dll 0x7fefe670000 0x7fefe872fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefeb80000 0x7fefec56fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
private_0x000007fffff98000 0x7fffff98000 0x7fffff99fff Private Memory rw True False False -
private_0x000007fffff9a000 0x7fffff9a000 0x7fffff9bfff Private Memory rw True False False -
private_0x000007fffff9c000 0x7fffff9c000 0x7fffff9dfff Private Memory rw True False False -
private_0x000007fffff9e000 0x7fffff9e000 0x7fffff9ffff Private Memory rw True False False -
private_0x000007fffffa0000 0x7fffffa0000 0x7fffffa1fff Private Memory rw True False False -
private_0x000007fffffa2000 0x7fffffa2000 0x7fffffa3fff Private Memory rw True False False -
private_0x000007fffffa4000 0x7fffffa4000 0x7fffffa5fff Private Memory rw True False False -
private_0x000007fffffa6000 0x7fffffa6000 0x7fffffa7fff Private Memory rw True False False -
private_0x000007fffffa8000 0x7fffffa8000 0x7fffffa9fff Private Memory rw True False False -
private_0x000007fffffaa000 0x7fffffaa000 0x7fffffabfff Private Memory rw True False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory rw True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #420: c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe 0x760 address = 0x13f490000, size = 221184 True 1
Fn
Data
Create Remote Thread #420: c:\users\5p5nrgjn0js halpmcxz\desktop\xhcdxx.exe 0x760 address = 0x13f491a30 True 1
Fn
Host Behavior
File (5)
»
Operation Filename Additional Information Success Count Logfile
Create C:\users\Public\sys desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN False 5
Fn
Module (78)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76aa0000 True 1
Fn
Load mpr.dll base_address = 0x7fefa550000 True 1
Fn
Load advapi32.dll base_address = 0x7fefec60000 True 1
Fn
Load ole32.dll base_address = 0x7fefe670000 True 1
Fn
Load Shell32.dll base_address = 0x7fefd440000 True 1
Fn
Load Iphlpapi.dll base_address = 0x7fefa5e0000 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x76ab7070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x76ac2dd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualFree, address_out = 0x76ab1260 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptExportKey, address_out = 0x7fefec68140 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileW, address_out = 0x76aaad90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDriveTypeW, address_out = 0x76abbdf0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineW, address_out = 0x76abc480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoW, address_out = 0x76ab8070 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileW, address_out = 0x76ab1910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualAlloc, address_out = 0x76ab67a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7fefec6dc20 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x76ce40f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64RevertWow64FsRedirection, address_out = 0x76aebb30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessA, address_out = 0x76b38840 True 1
Fn
Get Address c:\windows\system32\iphlpapi.dll function = GetIpNetTable, address_out = 0x7fefa5ee558 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExW, address_out = 0x76aad910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Wow64DisableWow64FsRedirection, address_out = 0x76aebb40 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemDefaultLangID, address_out = 0x76aa94e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameW, address_out = 0x7fefec71fd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadFile, address_out = 0x76ab1500 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7fefec7c480 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x76ac2f80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegSetValueExW, address_out = 0x7fefec71ed0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7fefec80710 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileA, address_out = 0x76b35620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesW, address_out = 0x76ab37a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WinExec, address_out = 0x76b38d80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDeriveKey, address_out = 0x7fefec9b6b0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptGenKey, address_out = 0x7fefec619bc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Sleep, address_out = 0x76ac2b70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x76ab5cf0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteW, address_out = 0x7fefd45983c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSize, address_out = 0x76aaf9d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalAlloc, address_out = 0x76aa80c0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x76abbd60 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForMultipleObjects, address_out = 0x76ab1170 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x76ab64a0 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteA, address_out = 0x7fefd69ec80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x76ab65e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameW, address_out = 0x76ab7700 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x76ac31f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSizeEx, address_out = 0x76aa9b30 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x76ac35a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLogicalDrives, address_out = 0x76aab930 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetEnumResourceW, address_out = 0x7fefa5541a0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExW, address_out = 0x7fefec806f0 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetCloseEnum, address_out = 0x7fefa5542dc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x76aa82b0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFileAttributesA, address_out = 0x76aa2d50 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7fefec7b5f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointer, address_out = 0x76ab1150 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount, address_out = 0x76ac2b00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesW, address_out = 0x76abbdd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileW, address_out = 0x76abbd80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextW, address_out = 0x7fefec6d98c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MoveFileExW, address_out = 0x76aa3060 True 1
Fn
Get Address c:\windows\system32\mpr.dll function = WNetOpenEnumW, address_out = 0x7fefa553e00 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoInitialize, address_out = 0x7fefe68a51c True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDecrypt, address_out = 0x7fefec9b6d0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptImportKey, address_out = 0x7fefec6af6c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointerEx, address_out = 0x76aaaf00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileW, address_out = 0x76aa92d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x76ab6620 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateProcessW, address_out = 0x76ac1bb0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateDirectoryW, address_out = 0x76aaad70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThread, address_out = 0x76ab6580 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyKey, address_out = 0x7fefec6afa0 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x7fefe697490 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileW, address_out = 0x76ab1870 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesA, address_out = 0x76ab13e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptEncrypt, address_out = 0x7fefec9b650 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegDeleteValueW, address_out = 0x7fefec6bbb0 True 1
Fn
System (12)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 1
Fn
Sleep duration = 9000 milliseconds (9.000 seconds) True 5
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 5
Fn
Process #838: reg.exe
13 0
»
Information Value
ID #838
File Name c:\windows\system32\reg.exe
Command Line REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xhcdxx.exe" /f
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:22, Reason: Child Process
Unmonitor End Time: 00:04:23, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xa28
Parent PID 0xe20 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x FA8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
reg.exe.mui 0x000e0000 0x000e8fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
pagefile_0x0000000000460000 0x00460000 0x005e7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005f0000 0x005f0000 0x00770fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000780000 0x00780000 0x01b7ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01b80000 0x01e4efff Memory Mapped File r False False False -
kernelbase.dll.mui 0x01e50000 0x01f0ffff Memory Mapped File rw False False False -
kernel32.dll 0x76aa0000 0x76bbefff Memory Mapped File rwx False False False -
user32.dll 0x76bc0000 0x76cb9fff Memory Mapped File rwx False False False -
ntdll.dll 0x76cc0000 0x76e68fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
reg.exe 0xff020000 0xff075fff Memory Mapped File rwx True False False -
kernelbase.dll 0x7fefcd60000 0x7fefcdcafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fefcfe0000 0x7fefd10cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fefd110000 0x7fefd12efff Memory Mapped File rwx False False False -
imm32.dll 0x7fefd130000 0x7fefd15dfff Memory Mapped File rwx False False False -
usp10.dll 0x7fefd360000 0x7fefd428fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefd430000 0x7fefd43dfff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fefe3a0000 0x7fefe3ecfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fefe880000 0x7fefe91efff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fefeb00000 0x7fefeb70fff Memory Mapped File rwx False False False -
advapi32.dll 0x7fefec60000 0x7fefed3afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed40000 0x7fefeda6fff Memory Mapped File rwx False False False -
nsi.dll 0x7fefee50000 0x7fefee57fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefeec0000 0x7fefefc8fff Memory Mapped File rwx False False False -
apisetschema.dll 0x7fefefe0000 0x7fefefe0fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (5)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Write STD_OUTPUT_HANDLE size = 39 True 1
Fn
Data
Registry (4)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System - False 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = svchos True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = svchos, data = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xhcdxx.exe, size = 98, type = REG_SZ True 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\reg.exe base_address = 0xff020000 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-11-27 08:43:12 (UTC) True 1
Fn
Get Time type = Ticks, time = 87500 True 1
Fn
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image